Microsoft closes 12-year-old vulnerability CVE-2021-24092 in Defender (Feb. 9, 2021)

[German]On patchday (February 9, 2021), Microsoft also fixed the CVE-2021-24092 vulnerability in Defender, which has probably existed for at least 12 years. This allows an attacker to elevate privileges under Windows, and this without the user's intervention. However, there is no known exploitation.


As of February 9, 2021, there was a security update for Microsoft Defender (formerly Windows Defender) that closes the vulnerability CVE-2021-24092. According to Microsoft, the vulnerability affects Microsoft Malware Protection Engine since version 1.1.17700.4, it's fixed in version 1.1.17800.5.

The description of CVE-2021-24092 (Microsoft Defender Elevation of Privilege Vulnerability) from Microsoft does not provide any real detail. But the security researchers at Sentinel LABS, who discovered the vulnerability, described the vulnerability on Feb. 10, 2021, in the post CVE-2021-24092: 12 Years in Hiding – A Privilege Escalation Vulnerability in Windows Defender.

The vulnerability CVE-2021-24092

Defender has been deeply integrated into every system since Windows 7 (actually since Windows XP/Vista) as Windows Defender, but is now called Microsoft Defender. We are talking about more than 1 billion devices that were compromised by the vulnerability. Since the Microsoft Malware Protection Engine versions are also used in other products (Forefront, Microsoft Security Essentials, etc.), the vulnerability could have been present there as well (but here the security researchers who discovered the flaw didn't make a statement).

CVE-2021-24092 is a serious vulnerability in Windows Defender that allows attackers to escalate privileges from a non-administrator user account. The problem was the BTR.sys (Boot Time Removal Tool) driver, which is responsible for deleting file system and registry resources as part of the cleanup process within Windows Defender. This allows Defender to remove such items created by malicious software in kernel mode.

Defender-Schwachstelle CVE-2021-24092
Defender vulnerability CVE-2021-24092 in BTR.sys, Source Sentinel LABS


When the driver is loaded, it first creates a handle to a file that contains the log of operations during activation. The problem with the vulnerability lies in the way the driver creates the handle to this particular file (see screenshot). The register r14d is xored to zero, so the parameter CreateDisposition gets the constant FILE_SUPERSEDE. FILE_SUPERSEDE is considered a transaction that first deletes the original file and then creates a new file. In the routine in question there is no check whatsoever whether this file is a link or not. Creating a (hard) link to


would therefore allow attackers to overwrite arbitrary files. In the article, the security researchers demonstrate the scenario that can be used to elevate user privileges and overwrite files with malware without the user's intervention. A search on VirusTotal found Microsoft-signed versions of this driver from 2009 that contained the flaw. Microsoft sees exploitation of the vulnerability as unlikely, but has automatically updated Defender on February 9, 2021. There are no reports of exploitation so far. (via)

Similar articles:
Windows Server 2019: Defender Performance Issues
Microsoft Defender Package for Windows Install-image Updates
Microsoft Defender: Download Feature removed …
Security concerns about Microsoft Defender download feature
Microsoft Defender blocks Citrix services as Trojan
Windows 10: Does Defender forget defined exclusions?
Windows 10: Is the Defender GUI bug hiding defined exclusions fixed?

Windows Defender flags CCleaner as PUP – Part 1
Windows Defender flags Windows Hosts file as malicious – Part 2
Defender blocks redirected Microsoft hosts entries – Part 3
Issues with Defender Update KB4052623 (March 2020)?

Cookies helps to fund this blog: Cookie settings


This entry was posted in issue, Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *