- “Chaotic Eclipse” researcher reveals new Microsoft Defender Zero Day called RedSun
- Flaw allows local privilege escalation to SYSTEM by abusing Defender’s file rewrite behavior
- Arriving a few days after the release of BlueHammer; Microsoft says it is investigating and supporting coordinated disclosure
The same disgruntled researcher who recently revealed a zero-day vulnerability in Windows is at it again, this time targeting Microsoft Defender, the operating system’s native antivirus solution.
A researcher going by the pseudonym “Chaotic Eclipse” has published a proof-of-concept (PoC) exploit for a vulnerability he named “RedSun.” This is a local privilege escalation vulnerability that grants malicious actors SYSTEM privileges in the latest versions of Windows 10, Windows 11, and Windows Server, with Windows Defender enabled.
“When Windows Defender realizes that a malicious file has a cloud tag, for some stupid and hilarious reason, the antivirus that’s supposed to protect decides it’s a good idea to simply rewrite the file it found to its original location,” Chaotic Eclipse wrote. “PoC abuses this behavior to overwrite system files and gain administrative privileges.”
Article continues below
“Horrible experience”
BeepComputer confirmed that the flaw works and indicates that some antivirus vendors on VirusTotal already detect it because the executable contains an embedded EIRCAR (antivirus test file).
The news comes approximately 10 days after Chaotic Eclipse released code for BlueHammer, a privilege escalation flaw that allows local attackers to gain elevated SYSTEM or administrator permissions on the target endpoint.
Apparently, the researcher was unhappy with the way Microsoft handles vulnerability disclosure.
“Normally I would beg them to fix a bug, but long story short, they told me personally that they were going to ruin my life and they did. I’m not sure if I was the only one who had this horrible experience or if few people did, but I think most would eat it and cut their losses, but for me, they took it all away,” Chaotic Eclipse apparently said.
“They cleaned the floor with me and played every childish game they could. It was so bad at one point that I wondered if I was dealing with a big corporation or someone who was just having fun watching me suffer, but it seems to be a collective decision.”
In response, Microsoft said it was committed “to our customers to investigate reported security issues and update affected devices to protect customers as soon as possible.”
“We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure that issues are thoroughly investigated and resolved before public disclosure, supporting both customer protection and the security research community,” the spokesperson told the publication.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
