Guidance for CVE-2022-23278 spoofing in Microsoft Defender for Endpoint

Microsoft released a security update to address CVE-2022-23278 in Microsoft Defender for Endpoint. This important class spoofing vulnerability impacts all platforms. We wish to thank Falcon Force for the collaboration on addressing this issue through coordinated vulnerability disclosure.

Cybercriminals are looking for any opening to tamper with security protections in order to blind, confuse, or often shut off customer defenses. Microsoft continuously works to defeat these methods to help our customers protect their environment and gain visibility when attacks occur, both through our own research and in partnership with the security community. With our March security update release, we are further hardening Microsoft Defender for Endpoint by addressing the ability for attackers to spoof information between the client and the service. This vulnerability impacts all platforms and the updates we have released should be deployed just like any other security update. On Windows, this is part of the March Cumulative Update for Windows so if automatic updates are scheduled, no further action is necessary. For those who do not have automatic updates turned on, we recommend doing so. Customers using the latest operating systems benefit from new operating system capabilities that allow strong protections. Instructions for the normal deployment method are below:

Release ChannelAvailableNext Step
Windows Update and Microsoft UpdateYesNone. This update will be downloaded and installed automatically from Windows Update.
Windows Update for BusinessYesNone. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
Microsoft Update CatalogYesTo get the standalone package for this update, go to the Microsoft Update Catalog website.
Windows Server Update Services (WSUS) YesThis update will automatically sync with WSUS if you configure
Products and Classifications as follows:
Product: Windows 11, Windows 10, Windows Server 2016, Windows Server 2019, or Windows Server 2022.
Classification: Security Updates
Products past end of life will not receive the update
Microsoft AutoUpdate for macOSYesInformation on automatic or manual configuration can be found here.
Updates for LinuxYesInformation on manual installation can be found here.
Google Play StoreYesInformation on deploying and configuring updates on Android can be found here.
Apple App StoreYesInformation on deploying and configuring updates on iOS can be found here.

At time of publication, Microsoft is not aware of any attacks that have leveraged this vulnerability. In addition to the security update, Microsoft has released detections for possible exploit activity. Customers should monitor for those detections (list below) and consult the threat analytics article (requires license and access) which surfaces risk and possible exploit activity.

  • Suspicious client communication – detects suspicious client communication which could either be caused by device spoofing or duplicate device IDs.

Customers are encouraged to apply the March security updates as soon as possible.  Official documentation on the updates can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23278

– Microsoft Defender for Endpoint Team