CVE-2021-24092: 
Microsoft System Center Endpoint Protection vulnerability analysis and mitigation

Microsoft Defender Elevation of Privilege Vulnerability (CVE-2021-24092) is a severe security flaw discovered in Windows Defender that remained undiscovered for 12 years, from approximately 2009 until its disclosure in 2021. The vulnerability affects Windows Defender, which is installed by default on more than 1 billion Windows devices. The issue was reported to Microsoft Security Response Center (MSRC) on November 16, 2020, and was patched by Microsoft on February 9, 2021 (SentinelLabs).

The vulnerability resides in the BTR.sys driver, which is part of Windows Defender's remediation process. The driver creates a handle to a log file without proper verification of whether the file is a link, allowing attackers to overwrite arbitrary files through a hard link attack. The vulnerability has been assigned a CVSS 3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but high impact potential (NVD).

The vulnerability enables attackers to escalate privileges from a non-administrator user to higher privileges on affected systems. This could potentially allow attackers to disable security products and perform other malicious activities with elevated system access. The vulnerability affects all Windows Defender versions from around 2009 until the patch release (SentinelLabs).

Microsoft has released a security patch to address this vulnerability. Machines running an updated version of Windows Defender are protected against CVE-2021-24092. Additionally, recent versions of Windows 10, when updated, include native protection against EoP exploits using hard links (SentinelLabs).