Shulou(Shulou.com)05/31 Report--

This article is about how to carry out Microsoft Defender remote code execution CVE-2021-1647 vulnerability analysis, the editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

In January 2021, the Nebula attack and Defense Lab monitored that Microsoft had issued a risk notification for a Microsoft Defender buffer overflow vulnerability numbered CVE-2021-1647, vulnerability level: high risk.

An attacker can cause Microsoft Defender remote code execution by constructing a special PE file.

Vulnerability description

Windows Defender has a heap overflow vulnerability when scanning executables with built-in emulation execution components. An attacker can induce the victim to download a malicious file constructed by the attacker by sending an email or malicious link to the target victim, thus causing Windows Defender to trigger exploitation of this vulnerability when automatically scanning the malicious file, and finally take control of the victim's computer.

The vulnerability is currently exploited in the wild, beware of Wechat receiving unfamiliar files, Wechat will automatically download to the download directory, Windows Defender scanning will automatically trigger malicious files to pop up cmd.

Affected version

-Microsoft:Microsoft Defender:Windows 8.1 for 32-bit systems

-Microsoft:Microsoft Defender:Windows 7 for x64-based Systems Service Pack 1

-Microsoft:Microsoft Defender:Windows 7 for 32-bit Systems Service Pack 1

-Microsoft:Microsoft Defender:Windows Server 2016 (Server Core installation)

-Microsoft:Microsoft Defender:Windows Server 2016

-Microsoft:Microsoft Defender:Windows 10 Version 1607 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1607 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows 10 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows Server, version 20H2 (Server Core Installation)

-Microsoft:Microsoft Defender:Windows 10 Version 20H2 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 20H2 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows 10 Version 20H2 for x64-based Systems

-Microsoft:Microsoft Defender:Windows Server, version 2004 (Server Core installation)

-Microsoft:Microsoft Defender:Windows 10 Version 2004 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 2004 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 2004 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows Server, version 1909 (Server Core installation)

-Microsoft:Microsoft Defender:Windows 10 Version 1909 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1909 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1909 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows Server 2019 (Server Core installation)

-Microsoft:Microsoft Defender:Windows Server 2019

-Microsoft:Microsoft Defender:Windows 10 Version 1809 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1809 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1809 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1803 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1803 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1803 for 32-bit Systems

-Microsoft:Microsoft System Center 2012 Endpoint Protection

-Microsoft:Microsoft Security Essentials

-Microsoft:Microsoft System Center 2012 R2 Endpoint Protection

-Microsoft:Microsoft System Center Endpoint Protection

-Microsoft:Microsoft Defender:Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

-Microsoft:Microsoft Defender:Windows Server 2008 for 32-bit Systems Service Pack 2

-Microsoft:Microsoft Defender:Windows RT 8.1

-Microsoft:Microsoft Defender:Windows 8.1 for x64-based systems

-Microsoft:Microsoft Defender:Windows Server 2012 R2 (Server Core installation)

-Microsoft:Microsoft Defender:Windows Server 2012 R2

-Microsoft:Microsoft Defender:Windows Server 2012 (Server Core installation)

Vulnerability level

High risk

Repair suggestion

1. Update with one click. Microsoft Windows version updates should be carried out in a timely manner and Windows automatic updates should be kept on.

The process for Windows server / Windows to detect and enable Windows automatic update is as follows:

Click the start menu and select Control Panel from the pop-up menu to proceed to the next step.

Click "system and Security" on the control panel page to enter the settings.

In the new interface that pops up, select enable or disable automatic updates in windows update.

Then go to the settings window, expand the drop-down menu item, and select the automatic installation update (recommended).

2. Suggestions for temporary repair

Find your own vulnerability patches in line with the operating system version, and download and install the patches.

The above is how to carry out Microsoft Defender remote code execution CVE-2021-1647 vulnerability analysis, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.