- Researcher “Chaotic Eclipse” reveals new Microsoft Defender zero-day dubbed RedSun
- Flaw enables local privilege escalation to SYSTEM by abusing Defender’s file rewrite behavior
- Coming days after BlueHammer release; Microsoft says it is investigating and supporting coordinated disclosure
The same disgruntled researcher who recently uncovered a zero-day vulnerability in Windows has now done it again, this time targeting Microsoft Defender, the operating system’s native antivirus solution.
A researcher with the alias “Chaotic Eclipse” has published a proof-of-concept (PoC) exploit for a vulnerability they named “RedSun”. It is a local privilege escalation flaw that allows malicious actors SYSTEM privileges in the latest versions of Windows 10, Windows 11, and Windows Server, with Windows Defender enabled.
“When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and funny reason, the antivirus it’s supposed to protect decides it’s a good idea to just rewrite the file it found back to its original location,” wrote Chaotic Eclipse. “PoC abuses this behavior to overwrite system files and gain administrative privileges.”
The article continues below
“Terrible experience”
Bleeping Computer confirmed that the bug is working and says that some antivirus vendors on VirusTotal are already detecting it because the executable contains an embedded EIRCAR (antivirus test file).
The news comes about 10 days after Chaotic Eclipse released the code for BlueHammer, a privilege escalation flaw that allows local attackers to gain SYSTEM or elevated administrator permissions on the measurement endpoint.
Apparently, the researcher was unhappy with the way Microsoft handles the disclosure of vulnerabilities.
“Normally I would go through the process of begging them to fix a bug, but to summarize, I was personally told by them that they want to ruin my life and they did, and I’m not sure if I was the only one who had this terrible experience or few people did, but I think most people just wanted to eat it and cut their losses, but for me, they took everything away,” Chaotic Eclipse apparently said.
“They washed the floor with me and pulled all the childish tricks they could. It was so bad at one point I wondered if I was dealing with a large corporation or someone just having fun watching me suffer, but it seems to be a collective decision.”
In response, Microsoft said it has a “customer obligation to investigate reported security issues and update affected devices to protect customers as quickly as possible.
“We also support coordinated vulnerability disclosure, a widely used industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community,” the spokesperson told the publication.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
