Attacked MS Defender vulnerabilities and BitLocker protection measures

The US IT security authority CISA warns of current attacks on several Microsoft vulnerabilities and a vulnerability in Adobe Acrobat and Reader. The oldest of the attacked vulnerabilities is already 18 years old. Microsoft is providing updates for the Microsoft Defender under attack and naming manual countermeasures for BitLocker to protect against the YellowKey attack.

In total, CISA lists seven attacked security vulnerabilities. These include a buffer overflow in Windows Server Service from Windows 2000 to Server 2008 (CVE-2008-4250, CVSS 9.8, Risk “critical”), a vulnerability in DirectX 7 to 9 (CVE-2009-1537, CVSS 8.8, Risk “high”), and two well-aged security vulnerabilities in Internet Explorer (CVE-2010-0249 and CVE-2010-0806, CVSS 8.8, Risk “high”). A mere 17 years old is also a currently attacked heap-based buffer overflow in Adobe Reader and Acrobat 7.x, 8.x, and 9.x, which was also attacked once before back then (CVE-2009-3459, CVSS 8.8, Risk “high”). Anyone still using such old and known vulnerable software should urgently consider isolating the systems or ideally updating to a current state.

Back to the present

But security vulnerabilities are also being attacked in current software: Microsoft has fixed a privilege escalation vulnerability in its anti-malware software Defender, which is based on incorrect link resolution before file access and allows SYSTEM-level access after successful exploitation (CVE-2026-41091, CVSS 7.8, Risk “high”). In addition, a security vulnerability allows the antimalware service to be disabled (Denial of Service, DoS) (CVE-2026-45498, CVSS 4.0, Risk “medium”). Microsoft explains in the vulnerability entries that the fixes for the security-relevant errors in Defender should have already reached the end devices via automatic signature updates.

Another security vulnerability in Defender allows attackers from the network to inject malicious code. Here too, the update should have already been applied automatically (CVE-2026-45584, CVSS 8.1, Risk “high”). However, attacks on this have not yet been observed. The Microsoft Malware Protection Engine from version 1.1.26040.8 and Microsoft Defender Antimalware Platform from version 4.18.26040.7 contain the fixes for all three vulnerabilities.

“YellowKey” Countermeasures

Microsoft is also reacting to the vulnerability in BitLocker, which has been given the code name “YellowKey.” BitLocker drives can be unlocked by unauthorized individuals quite easily because of this. Microsoft does not rate the risk particularly high (CVE-2026-45585, CVSS 6.8, Risk “medium”). In the vulnerability entry, Microsoft initially complains that the publication of the proof-of-concept exploit violates the coordinated best practices for handling security vulnerabilities.

Then the developers name countermeasures that are intended to provide protection against the attack. The described procedure changes the Windows Recovery Environment so that the BootExecute entry “autofstx.exe” is removed from the WinRE registry. In addition, adding a PIN for unlocking is intended to protect against the attack.

(dmk)