Microsoft Defender远程代码执行漏洞

2021年1月，星云攻防实验室监测到Microsoft发布了Microsoft Defender 缓冲区溢出缝隙的危险通告，该缝隙编号为CVE-2021-1647，缝隙等级：高危。

攻击者经过结构特别的PE文件,可形成Microsoft Defender 远程代码执行。

缝隙描绘

Windows Defender 在使用内置模拟执行组件扫描可执行文件时，存在一处堆溢出缝隙。攻击者可经过向目标受害者发送邮件或歹意链接等方法诱导受害者下载攻击者结构的歹意文件，从而使 Windows Defender 在主动扫描歹意文件时触发使用该缝隙，最终控制受害者计算机。

该缝隙现在有在野使用，谨防微信接纳陌生文件，微信会主动下载放到download目录，Windows Defender扫描后会主动触发歹意文件从而弹出cmd。

受影响版别

-Microsoft:Microsoft Defender:Windows 8.1 for 32-bit systems

-Microsoft:Microsoft Defender:Windows 7 for x64-based Systems Service Pack 1

-Microsoft:Microsoft Defender:Windows 7 for 32-bit Systems Service Pack 1

-Microsoft:Microsoft Defender:Windows Server 2016 (Server Core installation)

-Microsoft:Microsoft Defender:Windows Server 2016

-Microsoft:Microsoft Defender:Windows 10 Version 1607 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1607 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows 10 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows Server, version 20H2 (Server Core Installation)

-Microsoft:Microsoft Defender:Windows 10 Version 20H2 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 20H2 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows 10 Version 20H2 for x64-based Systems

-Microsoft:Microsoft Defender:Windows Server, version 2004 (Server Core installation)

-Microsoft:Microsoft Defender:Windows 10 Version 2004 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 2004 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 2004 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows Server, version 1909 (Server Core installation)

-Microsoft:Microsoft Defender:Windows 10 Version 1909 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1909 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1909 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows Server 2019 (Server Core installation)

-Microsoft:Microsoft Defender:Windows Server 2019

-Microsoft:Microsoft Defender:Windows 10 Version 1809 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1809 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1809 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1803 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1803 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1803 for 32-bit Systems

-Microsoft:Microsoft System Center 2012 Endpoint Protection

-Microsoft:Microsoft Security Essentials

-Microsoft:Microsoft System Center 2012 R2 Endpoint Protection

-Microsoft:Microsoft System Center Endpoint Protection

-Microsoft:Microsoft Defender:Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

-Microsoft:Microsoft Defender:Windows Server 2008 for 32-bit Systems Service Pack 2

-Microsoft:Microsoft Defender:Windows RT 8.1

-Microsoft:Microsoft Defender:Windows 8.1 for x64-based systems

-Microsoft:Microsoft Defender:Windows Server 2012 R2 (Server Core installation)

-Microsoft:Microsoft Defender:Windows Server 2012 R2

-Microsoft:Microsoft Defender:Windows Server 2012 (Server Core installation)

缝隙级别

高危

修正主张

1、进行一键更新。应及时进行Microsoft Windows版别更新并且坚持Windows主动更新敞开。

Windows server / Windows 检测并敞开Windows主动更新流程如下：

• 点击开始菜单，在弹出的菜单中挑选“控制面板”进行下一步。

• 点击控制面板页面中的“系统和安全”，进入设置。

• 在弹出的新的界面中挑选“windows update”中的“启用或禁用主动更新”。

• 然后进入设置窗口，展开下拉菜单项，挑选其中的主动装置更新（引荐） 。

2、暂时修补主张

经过如下链接自行寻觅符合操作系统版别的缝隙补丁，并进行补丁下载装置。

2021 年 1 月安全更新 - 发行说明 - 安全更新程序攻略 - Microsoft
https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan