Skip to content

Exploited MS Defender Vulnerabilities and BitLocker Protection Measures

(Image: heise online / dmk). CISA warns of attacks on Microsoft vulnerabilities some 18 years old. Patches protect Defender and countermeasures address BitLocker vulnerability. The U.S. IT security agency CISA warns of current attacks on multiple Microsoft vulnerabilities and a flaw in Adobe Acrobat and Reader. The oldest of the attacked vulnerabilities is already 18 years old. Microsoft provides updates for the beleaguered Microsoft Defender and names manual countermeasures for BitLocker to protect against the YellowKey attack.

In total, CISA lists [1] seven exploited security vulnerabilities. These include a buffer overflow in Windows Server Service from Windows 2000 through Server 2008 (CVE-2008-4250 [2], CVSS 9.8, risk “critical”), a vulnerability in DirectX 7 through 9 (CVE-2009-1537 [3], CVSS 8.8, risk “high”) and two well-documented security vulnerabilities in Internet Explorer (CVE-2010-0249 [4] and CVE-2010-0806 [5], CVSS 8.8, risk “high”). Also 17 years old is a currently exploited heap-based buffer overflow in Adobe Reader and Acrobat 7.x, 8.x and 9.x – which was already targeted once before (CVE-2009-3459 [6], CVSS 8.8, risk “high”). Anyone still running such old and notoriously vulnerable software should urgently consider isolating the systems or ideally upgrading to a current version.

Back to the present. But current software also currently harbors exploited security vulnerabilities: Microsoft has patched a privilege escalation flaw in the anti-malware software Defender, which is based on incorrect link resolution before file access and, if exploited successfully, enables access with SYSTEM privileges (CVE-2026-41091 [7], CVSS 7.8, risk “high”). Additionally, a vulnerability enables attackers to incapacitate the anti-malware service (Denial of Service, DoS) (CVE-2026-45498, CVSS 4.0, risk “medium”). According to Microsoft, automatic signature updates should have already delivered the fixes for these security-relevant errors on endpoint devices.

Another vulnerability in Defender enables attackers to inject malware over the network. Here too, the update should have already occurred automatically ([8] CVE-2026-45584, CVSS 8.1, risk “high”). However, no attacks on this vulnerability have been observed so far. Microsoft Malware Protection Engine version 1.1.26040.8 and later and Microsoft Defender Antimalware Platform version 4.18.26040.7 and later contain the fixes for all three vulnerabilities.

“YellowKey” Countermeasures. Microsoft is also responding to the BitLocker vulnerability, which has been given the codename “YellowKey” [9]. BitLocker drives can thereby be unlocked by unauthorized persons quite easily. Microsoft rates the risk as not particularly high ([10] CVE-2026-45585, CVSS 6.8, risk “medium”). In the vulnerability entry, Microsoft first complains that publication of the proof-of-concept exploit violates agreed best practices for handling security vulnerabilities.

The developers then name countermeasures intended to provide protection against the attack. The described procedure changes the Windows Recovery Environment so that the BootExecute entry “autofstx.exe” is removed from the WinRE registry. Additionally, adding a PIN for unlocking should protect against the attack.

(dmk [12]). URL of this article:

https://www.heise.de/-11301580

Links in this article:

https://www.cisa.gov/news-events/alerts/2026/05/20/cisa-adds-seven-known-exploited-vulnerabilities-catalog

https://nvd.nist.gov/vuln/detail/cve-2008-4250

https://nvd.nist.gov/vuln/detail/CVE-2009-1537

https://nvd.nist.gov/vuln/detail/CVE-2010-0249

https://nvd.nist.gov/vuln/detail/CVE-2010-0806

https://nvd.nist.gov/vuln/detail/CVE-2009-3459

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45584

https://www.heise.de/news/Windows-Sicherheitsluecken-BitLocker-Problem-und-Rechteausweitung-11297192.html

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585

https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp

mailto:dmk@heise.de

Copyright © 2026 Heise Medien

heise security News

Share on: