- “Chaotic Eclipse” researcher reveals new zero-day Microsoft Defender called RedSun
- Flaw allows escalation of local privileges to SYSTEM by abusing Defender’s file rewrite behavior
- It arrives days after the launch of BlueHammer; Microsoft says it investigates and supports coordinated disclosure
The same disgruntled researcher who recently revealed a zero-day vulnerability in Windows has done it again, this time targeting Microsoft Defender, the operating system’s native antivirus solution.
A researcher with the alias “Chaotic Eclipse” published a proof-of-concept (PoC) exploit for a vulnerability he called “RedSun.” It is a local privilege escalation flaw that allows malicious actors SYSTEM privileges on the latest versions of Windows 10, Windows 11, and Windows Server, with Windows Defender enabled.
“When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus it’s supposed to protect decides it’s a good idea to simply rewrite the file it found back to its original location,” Chaotic Eclipse wrote. “The PoC abuses this behavior to overwrite system files and gain administrative privileges.”
Article continues below.
“Horrible experience”
beepcomputer confirmed that the flaw works and says that some antivirus vendors on VirusTotal are already detecting it because the executable contains an embedded EIRCAR (antivirus test file).
The news comes approximately 10 days after Chaotic Eclipse released code for BlueHammer, a privilege escalation flaw that allows local attackers to gain elevated SYSTEM or administrator permissions on the target endpoint.
Apparently, the researcher was dissatisfied with the way Microsoft handles vulnerability disclosure.
“Normally I would go through the process of begging them to fix a bug, but long story short, they told me personally that they would ruin my life and they did, and I’m not sure if I was the only one who had this horrible experience or few people did, but I think most would just eat it and cut their losses, but they took it all away from me,” Chaotic Eclipse apparently said.
“They mopped the floor with me and used every playground they could. It was so bad that at some point I wondered if I was dealing with a massive corporation or someone who just gets a kick out of watching me suffer, but it seems to be a collective decision.”
In response, Microsoft said it has a “customer commitment to investigate reported security issues and update affected devices to protect customers as soon as possible.”
“We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community,” the spokesperson told the publication.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
