none
CVE-2019-1161 | Microsoft Defender Elevation of Privilege Vulnerability RRS feed

  • Question

  • Hi everyone,

    Our Nessus scanner detected the following vulnerability :

    • Description

      <section>

      The version of Microsoft Malware Protection Signature Update Stub (MpSigStub.exe) installed on the remote Windows host is prior to 1.1.16200.1. It is, therefore, affected by a elevation of privilege vulnerability which could allow an attacker who successfully exploited this vulnerability to elevate privileges on the system.

      </section>
    • Solution

      <section>

      Enable automatic updates to update the scan engine for the relevant antimalware applications. Refer to Knowledge Base Article 2510781 for information on how to verify that MMPE has been updated.

      </section>
    • Plugin Output

      <section>
      Product : Microsoft Malware Protection Signature Update Stub
      Path : C:\Windows\System32\MpSigStub.exe
      Installed version : 1.1.15000.2
      Fixed version : 1.1.16200.1
      </section>

    I don't understand how to fix that issue, is there any patches ?

    EDIT:

    I found a way to update it. If I launch manually the windows defender it will update automatically the MpSigStub.exe.

    Now the question is: As windows defender is not our default antivirus is there a way to automate a scan every weekend which will check the MpSigStub version for all the workstation ?

    Regards,

    Lucas


    • Edited by Lucas092 Wednesday, August 28, 2019 2:29 PM found a clue
    Wednesday, August 28, 2019 1:36 PM

All replies

  • I've got the same issue as Lucas. We have Symantec EndPoint which looks like it disables Defender. Any help would be greatly appreciated.
    Tuesday, September 3, 2019 1:31 PM
  • Chiming in as well with the same issue detected from Tenable.io.  We have Defender disabled through Group Policy and are running Symantec Endpoint Protection.  What's interesting is that this vulnerability was only detected on our external web servers.  

    In any case, not sure how to resolve this issue if we don't even have Defender enabled?

    Tuesday, September 3, 2019 6:52 PM
  • I'm having the issue too. We run EndGame so Defender is disabled so it receives no updates. not I'm getting flagged for this exe being out of date. I can't even find an offline installer to push to the machines. 
    Wednesday, September 4, 2019 6:17 PM
  • Same issue here. Defender is disabled but still seeing the vulnerability. Can't find offline installer to update the defender..

    Please help and update for any solution.

    Thursday, September 5, 2019 3:09 PM
  • Same issue here. Defender is disabled but still seeing the vulnerability. Can't find offline installer to update the defender..

    Please help and update for any solution.

    Thursday, September 5, 2019 3:09 PM
  • I found a way to update it by enabling "Periodic Scanning". After enabling this, an option appears to "Check for Updates" which updates it to the latest version. Not ideal, but a workaround, which leaves Defender open to continual updating until the user reboots again. Working on a startup script to run this as well, which forces it to update even when disabled:

    cd %ProgramFiles%\Windows Defender
    MpCmdRun.exe -removedefinitions -dynamicsignatures
    MpCmdRun.exe -SignatureUpdate


    Friday, September 6, 2019 12:02 PM
  • Hi Jack,

    Please keep us in touch if you find something.

    Regards,

    Tuesday, September 17, 2019 12:11 PM
  • Good morning all,

    I looked through that CVE-2019-1161 article and step #6 says what you can do if you have defender disabled.

    6. The definitions are not updating on my system. What do I do?

    This security update is delivered only through definition updates. This cannot happen if Defender is in a disabled state (such as in the case of a third-party antivirus producte providing real time protection). If Defender is disabled, you can delete the vulnerable file from the system: C:\WINDOWS\System32\MpSigStub.exe.

    If Defender is re-enabled at a later time, MpSigStub.exe will be replaced with an updated version when signatures are updated.

    Hope this helps. 

    Thursday, September 19, 2019 12:47 PM
  • Good morning all,

    I looked through that CVE-2019-1161 article and step #6 says what you can do if you have defender disabled.

    6. The definitions are not updating on my system. What do I do?

    This security update is delivered only through definition updates. This cannot happen if Defender is in a disabled state (such as in the case of a third-party antivirus producte providing real time protection). If Defender is disabled, you can delete the vulnerable file from the system: C:\WINDOWS\System32\MpSigStub.exe.

    If Defender is re-enabled at a later time, MpSigStub.exe will be replaced with an updated version when signatures are updated.

    Hope this helps. 

    This worked for me. Thanks for posting.
    Friday, October 4, 2019 8:01 PM