#VU21290 Input validation error in Microsoft products - CVE-2019-1255
Published: September 23, 2019
Vulnerability identifier: #VU21290
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-1255
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Microsoft Security Essentials
Windows Defender
Microsoft Forefront Endpoint Protection
Microsoft Security Essentials
Windows Defender
Microsoft Forefront Endpoint Protection
Software vendor:
Microsoft
Microsoft
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of files within the Microsoft Malware Protection Engine in Microsoft Defender. A remote attacker can create a specially crafted file, trick the victim into executing it and prevent legitimate accounts from executing legitimate system binaries.
Remediation
Install updates from vendor's website.
This vulnerability was addressed in Microsoft Malware Protection Engine 1.1.16400.2.