A security feature bypass vulnerability exists in Windows which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine.
To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program.
The update addresses the vulnerability by correcting how Windows validates User Mode Code Integrity policies.
Exploitability Assessment
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
Publicly Disclosed Exploited Latest Software Release Older Software Release Denial of Service No No 1 - Exploitation More Likely 1 - Exploitation More Likely Not Applicable
Security Updates
To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.
Product Platform Article Download Impact Severity Supersedence PowerShell Core 6.1 Release Notes Security Update Security Feature Bypass Important PowerShell Core 6.2 Release Notes Security Update Security Feature Bypass Important Windows 10 for 32-bit Systems 4487018 Security Update Security Feature Bypass Important 4480962 Windows 10 for x64-based Systems 4487018 Security Update Security Feature Bypass Important 4480962 Windows 10 Version 1607 for 32-bit Systems 4487026 Security Update Security Feature Bypass Important 4480961 Windows 10 Version 1607 for x64-based Systems 4487026 Security Update Security Feature Bypass Important 4480961 Windows 10 Version 1703 for 32-bit Systems 4487020 Security Update Security Feature Bypass Important 4480973 Windows 10 Version 1703 for x64-based Systems 4487020 Security Update Security Feature Bypass Important 4480973 Windows 10 Version 1709 for 32-bit Systems 4486996 Security Update Security Feature Bypass Important 4480978 Windows 10 Version 1709 for 64-based Systems 4486996 Security Update Security Feature Bypass Important 4480978 Windows 10 Version 1709 for ARM64-based Systems 4486996 Security Update Security Feature Bypass Important 4480978 Windows 10 Version 1803 for 32-bit Systems 4487017 Security Update Security Feature Bypass Important 4480966 Windows 10 Version 1803 for ARM64-based Systems 4487017 Security Update Security Feature Bypass Important 4480966 Windows 10 Version 1803 for x64-based Systems 4487017 Security Update Security Feature Bypass Important 4480966 Windows 10 Version 1809 for 32-bit Systems 4487044 Security Update Security Feature Bypass Important 4480116 Windows 10 Version 1809 for ARM64-based Systems 4487044 Security Update Security Feature Bypass Important 4480116 Windows 10 Version 1809 for x64-based Systems 4487044 Security Update Security Feature Bypass Important 4480116 Windows Server 2016 4487026 Security Update Security Feature Bypass Important 4480961 Windows Server 2016 (Server Core installation) 4487026 Security Update Security Feature Bypass Important 4480961 Windows Server 2019 4487044 Security Update Security Feature Bypass Important 4480116 Windows Server 2019 (Server Core installation) 4487044 Security Update Security Feature Bypass Important 4480116 Windows Server, version 1709 (Server Core Installation) 4486996 Security Update Security Feature Bypass Important 4480978 Windows Server, version 1803 (Server Core Installation) 4487017 Security Update Security Feature Bypass Important 4480966
Mitigations
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
Acknowledgements
Matt Graeber of SpecterOps
See acknowledgements for more information.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
Version Date Description 1.0 02/12/2019 Information published. 2.0 02/19/2019 Revised the Security Updates table to include PowerShell Core 6.1 and 6.2 because they are affected by this vulnerability. See Microsoft Security Advisory - Multiple UMCI bypass vulnerabilities · Issue #13 · PowerShell/Announcements · GitHub for more information.
Source: https://portal.msrc.microsoft.com/en.../CVE-2019-0627
@Brink,
Would I be interpreting this fine notification from MS correctly if I read the entry for "Windows 10 Version 1809 for x64-based Systems" as meaning that, if I have installed the KB4487044 update on such a system, this vulnerability is now patched on that system, and it is now safe from said vulnerability?
Is it safe???? (cue Sir Laurence Olivier voice from Marathon Man)
Quote
