(Image: heise online / dmk). CISA warns of attacks on Microsoft vulnerabilities some 18 years old. Patches protect Defender and countermeasures address BitLocker vulnerability. The U.S. IT security agency CISA warns of current attacks on multiple Microsoft vulnerabilities and a flaw in Adobe Acrobat and Reader. The oldest of the attacked vulnerabilities is already 18 years old. Microsoft provides updates for the beleaguered Microsoft Defender and names manual countermeasures for BitLocker to protect against the YellowKey attack.
In total, CISA lists [1] seven exploited security vulnerabilities. These include a buffer overflow in Windows Server Service from Windows 2000 through Server 2008 (CVE-2008-4250 [2], CVSS 9.8, risk “critical”), a vulnerability in DirectX 7 through 9 (CVE-2009-1537 [3], CVSS 8.8, risk “high”) and two well-documented security vulnerabilities in Internet Explorer (CVE-2010-0249 [4] and CVE-2010-0806 [5], CVSS 8.8, risk “high”). Also 17 years old is a currently exploited heap-based buffer overflow in Adobe Reader and Acrobat 7.x, 8.x and 9.x – which was already targeted once before (CVE-2009-3459 [6], CVSS 8.8, risk “high”). Anyone still running such old and notoriously vulnerable software should urgently consider isolating the systems or ideally upgrading to a current version.
Back to the present. But current software also currently harbors exploited security vulnerabilities: Microsoft has patched a privilege escalation flaw in the anti-malware software Defender, which is based on incorrect link resolution before file access and, if exploited successfully, enables access with SYSTEM privileges (CVE-2026-41091 [7], CVSS 7.8, risk “high”). Additionally, a vulnerability enables attackers to incapacitate the anti-malware service (Denial of Service, DoS) (CVE-2026-45498, CVSS 4.0, risk “medium”). According to Microsoft, automatic signature updates should have already delivered the fixes for these security-relevant errors on endpoint devices.
Another vulnerability in Defender enables attackers to inject malware over the network. Here too, the update should have already occurred automatically ([8] CVE-2026-45584, CVSS 8.1, risk “high”). However, no attacks on this vulnerability have been observed so far. Microsoft Malware Protection Engine version 1.1.26040.8 and later and Microsoft Defender Antimalware Platform version 4.18.26040.7 and later contain the fixes for all three vulnerabilities.
“YellowKey” Countermeasures. Microsoft is also responding to the BitLocker vulnerability, which has been given the codename “YellowKey” [9]. BitLocker drives can thereby be unlocked by unauthorized persons quite easily. Microsoft rates the risk as not particularly high ([10] CVE-2026-45585, CVSS 6.8, risk “medium”). In the vulnerability entry, Microsoft first complains that publication of the proof-of-concept exploit violates agreed best practices for handling security vulnerabilities.
The developers then name countermeasures intended to provide protection against the attack. The described procedure changes the Windows Recovery Environment so that the BootExecute entry “autofstx.exe” is removed from the WinRE registry. Additionally, adding a PIN for unlocking should protect against the attack.
(dmk [12]). URL of this article:
https://www.heise.de/-11301580
Links in this article:
https://nvd.nist.gov/vuln/detail/cve-2008-4250
https://nvd.nist.gov/vuln/detail/CVE-2009-1537
https://nvd.nist.gov/vuln/detail/CVE-2010-0249
https://nvd.nist.gov/vuln/detail/CVE-2010-0806
https://nvd.nist.gov/vuln/detail/CVE-2009-3459
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45584
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585
Copyright © 2026 Heise Medien
heise security News