Microsoft has confirmed a critical-rated security vulnerability in Windows Defender (CVE-2024-49071) that could allow sensitive data to be leaked over a network. However, users are advised not to take any action, as the issue has been fully mitigated by Microsoft behind the scenes.
The vulnerability arose because Windows Defender created a search index of private or sensitive documents without proper access controls. Despite this, no known exploit has been reported, and an attacker would require some degree of access to Windows Defender to exploit it.
Microsoft’s security response team announced in June 2024 that they will issue CVEs for critical cloud service vulnerabilities, regardless of whether customers need to install a patch or take action. In this case, the vulnerability was fully mitigated by Microsoft without requiring user intervention.
This approach demonstrates transparency and good security practices, as users are notified of the issue but do not need to take any additional steps to protect themselves.
Source: https://www.forbes.com/sites/daveywinder/2024/12/14/new-critical-windows-defender-vulnerability-confirmed-by-microsoft