CVE-2020-1170: Microsoft Windows Defender Elevation of Privilege Vulnerability

Overview

Severity
N/A
Category
Elevation of Privilege
Exploit Status
Not Exploited
Exploitation Likelihood
Less Likely
Patch Tuesday
2020-Jun
Released
2020-06-09
Last Updated
2020-09-16
EPSS Score
0.15% (percentile: 36.3%)

Description

An elevation of privilege vulnerability exists in Windows Defender that leads arbitrary file deletion on the system. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how the Windows Defender handles file operations.

FAQ

References Identification Affected binaries MpCmdRun.exe Last version of MpCmdRun.exe affected by this vulnerability Version 4.18.2004.6 and earlier antimalware platform First version of MpCmdRun.exe with this vulnerability addressed Version 4.18.2005.1 Why is no action required to install this update? MpCmdRun.exe is part of the monthly Defender update package installed automatically without a need for machine reboot. See KB4052623: Update for Windows Defender antimalware platform Customers should still check the Windows Defender antimalware client version to make sure the update is happening on their machine. How often is the Windows Defender antimalware platform updated? Microsoft typically releases an update for the Windows Defender antimalware platform once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed. Depending on which Microsoft antimalware software is used and how it is configured, the software may search for platform, engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time. What is MpCmdRun.exe? MpCmdRun.exe is the Windows Defender command line utility executable used to automate Windows Defender tasks like scheduled scan, scheduled update, cleanup, verification, and maintenance. Does this update contain any additional security-related changes to functionality? Yes. In addition to the changes that are listed for this vulnerability, this update includes defense-in-depth updates to help improve security-related features. Where can I find more information about Microsoft antimalware technology? For more information, visit the Microsoft Malware Protection Center website. Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue? Vulnerability scanner

Affected Products (46)

System Center

  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft System Center Endpoint Protection
  • Microsoft System Center 2012 R2 Endpoint Protection
  • Microsoft Security Essentials
  • Microsoft System Center 2012 Endpoint Protection
  • Windows Defender on Windows 10 Version 1803 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1803 for x64-based Systems
  • Windows Defender on Windows Server, version 1803 (Server Core Installation)
  • Windows Defender on Windows 10 Version 1803 for ARM64-based Systems
  • Windows Defender on Windows 10 Version 1809 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1809 for x64-based Systems
  • Windows Defender on Windows 10 Version 1809 for ARM64-based Systems
  • Windows Defender on Windows Server 2019
  • Windows Defender on Windows Server 2019 (Server Core installation)
  • Windows Defender on Windows 10 Version 1909 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1909 for x64-based Systems
  • Windows Defender on Windows 10 Version 1909 for ARM64-based Systems
  • Windows Defender on Windows Server, version 1909 (Server Core installation)
  • Windows Defender on Windows 10 Version 1709 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1709 for x64-based Systems
  • Windows Defender on Windows 10 Version 1709 for ARM64-based Systems
  • Windows Defender on Windows 10 Version 1903 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1903 for x64-based Systems
  • Windows Defender on Windows 10 Version 1903 for ARM64-based Systems
  • Windows Defender on Windows Server, version 1903 (Server Core installation)
  • Windows Defender on Windows 10 for 32-bit Systems
  • Windows Defender on Windows 10 for x64-based Systems
  • Windows Defender on Windows 10 Version 1607 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1607 for x64-based Systems
  • Windows Defender on Windows Server 2016
  • Windows Defender on Windows Server 2016 (Server Core installation)
  • Windows Defender on Windows 7 for 32-bit Systems Service Pack 1
  • Windows Defender on Windows 7 for x64-based Systems Service Pack 1
  • Windows Defender on Windows 8.1 for 32-bit systems
  • Windows Defender on Windows 8.1 for x64-based systems
  • Windows Defender on Windows RT 8.1
  • Windows Defender on Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Defender on Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Defender on Windows Server 2008 for Itanium-Based Systems Service Pack 2
  • Windows Defender on Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  • Windows Defender on Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Defender on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Defender on Windows Server 2012
  • Windows Defender on Windows Server 2012 (Server Core installation)
  • Windows Defender on Windows Server 2012 R2
  • Windows Defender on Windows Server 2012 R2 (Server Core installation)

Acknowledgments

ap aka &quot;somaro&quot;, Clément Labro (<a href="https://twitter.com/itm4n">@itm4n</a>)

Revision History

  • 2020-06-09: Information published.
  • 2020-09-16: Added an FAQ. This is an information change only.