- Researcher “Chaotic Eclipse” discloses new Microsoft Defender zero‑day dubbed RedSun
- Flaw enables local privilege escalation to SYSTEM by abusing Defender’s file rewrite behavior
- Comes days after BlueHammer release; Microsoft says it investigates and supports coordinated disclosure
The same disgruntled researcher who recently disclosed a zero-day vulnerability in Windows has now done it again, this time targeting Microsoft Defender, the operating system’s native antivirus solution.
A researcher with the alias “Chaotic Eclipse” has posted a proof-of-concept (PoC) exploit for a vulnerability they named “RedSun”. It is a local privilege escalation flaw that allows malicious actors SYSTEM privileges in the latest versions of Windows 10, Windows 11, and Windows Server, with Windows Defender enabled.
“When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that’s supposed to protect decides that it is a good idea to just rewrite the file it found again to its original location,” Chaotic Eclipse wrote. “The PoC abuses this behavior to overwrite system files and gain administrative privileges.”
Article continues below
“Horrible experience”
BleepingComputer confirmed the flaw does work, and says some antivirus vendors on VirusTotal are already detecting it because the executable contains an embedded EIRCAR (antivirus test file).
The news comes roughly 10 days after Chaotic Eclipse released the code for BlueHammer, a privilege escalation flaw that allows local attackers to gain SYSTEM or elevated admin permissions on the target endpoint.
Apparently, the researcher was unsatisfied with the way Microsoft handles vulnerability disclosure.
“Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did and I’m not sure if I was the only who had this horride experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything,” Chaotic Eclipse apparently said.
“They mopped the floor with me and pulled every childish game they could. It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision.”
In response, Microsoft said it has a “customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible.
“We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community,” the spokesperson told the publication.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/7DtE9RCVmUtmH2FAfvxsvM-2560-80.jpg
Source link
