CVE-2020-1002: Microsoft Defender Elevation of Privilege Vulnerability

Overview

Severity
N/A
Category
Elevation of Privilege
Exploit Status
Not Exploited
Exploitation Likelihood
Less Likely
Patch Tuesday
2020-Apr
Released
2020-04-14
EPSS Score
0.33% (percentile: 55.9%)

Description

An elevation of privilege vulnerability exists when the MpSigStub.exe for Defender allows file deletion in arbitrary locations. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted command that could exploit the vulnerability and delete protected files on an affected system once MpSigStub.exe ran again. The update addresses the vulnerability and blocks the arbitrary deletion.

FAQ

References Identification Last version of the MpSigStub.exe affected by this vulnerability 1.1.16637.0 First version of the MpSigStub.exe with this vulnerability addressed Version 1.1.16638.0 1. Why is no action required to install this update? In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner. For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating. Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment. 2, How often are the malware definitions updated? Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed. Depending on which Microsoft antimalware software is used and how it is configured, the software may search for engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time. 3. What is the MpSigStub.exe? MpSigStub.exe is a component that’s responsible for installing definition updates. 4. Does this update contain any additional security-related changes to functionality? Yes. In addition to the changes that are listed for this vulnerability, this update includes defense-in-depth updates to help improve security-related features. 5. Where can I find more information about Microsoft antimalware tec

Affected Products (46)

System Center

  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft System Center Endpoint Protection
  • Microsoft System Center 2012 R2 Endpoint Protection
  • Microsoft Security Essentials
  • Microsoft System Center 2012 Endpoint Protection
  • Windows Defender on Windows 10 Version 1909 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1909 for x64-based Systems
  • Windows Defender on Windows 10 Version 1909 for ARM64-based Systems
  • Windows Defender on Windows Server, version 1909 (Server Core installation)
  • Windows Defender on Windows 10 Version 1803 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1803 for x64-based Systems
  • Windows Defender on Windows Server, version 1803 (Server Core Installation)
  • Windows Defender on Windows 10 Version 1803 for ARM64-based Systems
  • Windows Defender on Windows 10 Version 1809 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1809 for x64-based Systems
  • Windows Defender on Windows 10 Version 1809 for ARM64-based Systems
  • Windows Defender on Windows Server 2019
  • Windows Defender on Windows Server 2019 (Server Core installation)
  • Windows Defender on Windows 10 Version 1709 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1709 for x64-based Systems
  • Windows Defender on Windows 10 Version 1709 for ARM64-based Systems
  • Windows Defender on Windows 10 Version 1903 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1903 for x64-based Systems
  • Windows Defender on Windows 10 Version 1903 for ARM64-based Systems
  • Windows Defender on Windows Server, version 1903 (Server Core installation)
  • Windows Defender on Windows 10 for 32-bit Systems
  • Windows Defender on Windows 10 for x64-based Systems
  • Windows Defender on Windows 10 Version 1607 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1607 for x64-based Systems
  • Windows Defender on Windows Server 2016
  • Windows Defender on Windows Server 2016 (Server Core installation)
  • Windows Defender on Windows 7 for 32-bit Systems Service Pack 1
  • Windows Defender on Windows 7 for x64-based Systems Service Pack 1
  • Windows Defender on Windows 8.1 for 32-bit systems
  • Windows Defender on Windows 8.1 for x64-based systems
  • Windows Defender on Windows RT 8.1
  • Windows Defender on Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Defender on Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Defender on Windows Server 2008 for Itanium-Based Systems Service Pack 2
  • Windows Defender on Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  • Windows Defender on Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Defender on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Defender on Windows Server 2012
  • Windows Defender on Windows Server 2012 (Server Core installation)
  • Windows Defender on Windows Server 2012 R2
  • Windows Defender on Windows Server 2012 R2 (Server Core installation)

Acknowledgments

Zhiniang Peng (@edwardzpeng) of Qihoo 360 Core security and Fangming Gu (@afang5472)

Revision History

  • 2020-04-14: Information published.