Microsoft Defender RedSun Zero-Day Exploit Gains SYSTEM Access
▼ Summary
– A researcher named “Chaotic Eclipse” has released a proof-of-concept exploit for a second Microsoft Defender zero-day vulnerability called “RedSun.”
– This is the second such exploit the researcher has published within a two-week period.
– The action is a form of protest against Microsoft’s practices for working with cybersecurity researchers.
– The exploit targets Microsoft Defender, which is the built-in antivirus software for Windows.
– The researcher’s protest highlights ongoing tensions between security researchers and large software vendors over vulnerability disclosure.
A cybersecurity researcher operating under the alias “Chaotic Eclipse” has publicly released a second proof-of-concept exploit targeting Microsoft Defender in as many weeks. This latest vulnerability, named RedSun, demonstrates a method for an attacker to gain SYSTEM-level access on a compromised Windows machine. The researcher’s actions are framed as a protest against Microsoft’s policies and practices for engaging with the external security community.
The exploit specifically targets the Microsoft Malware Protection Engine (mpengine.dll), a core component of the Defender antivirus service. By manipulating a specially crafted file, an attacker can trigger a memory corruption flaw. Successful exploitation allows for the execution of arbitrary code with the highest privileges on the system, effectively handing over complete control. This type of local privilege escalation is particularly dangerous as it can turn a limited initial foothold into a full system takeover.
This disclosure follows another recent exploit, dubbed “BlueMoon,” released by the same individual. The back-to-back publications highlight a growing frustration among some security researchers regarding vulnerability disclosure processes. Chaotic Eclipse has stated these releases are a direct response to perceived shortcomings in how Microsoft handles external reports, including communication delays and a lack of transparency in remediation timelines.
The core of the protest centers on the dynamics of coordinated vulnerability disclosure. Researchers often rely on established channels and reasonable timeframes for vendors to develop and deploy patches before public details are released. When these channels break down or are perceived as ineffective, it can lead to full public disclosure without a fix in place, potentially putting users at risk. The researcher contends that Microsoft’s current approach necessitates such drastic actions to spur change.
For organizations and individual users, the immediate concern is mitigation. While a formal patch from Microsoft is pending, applying the principle of least privilege across user accounts can help limit potential damage. Network segmentation and robust monitoring for unusual process activity are also critical defensive layers. The repeated emergence of these flaws underscores that security software itself must be rigorously hardened, as it operates with extensive system permissions and represents a high-value target for attackers.
The situation presents a complex challenge. Public demonstrations of critical vulnerabilities undoubtedly increase short-term risk, yet they also apply intense pressure on vendors to improve their security posture and collaboration frameworks. The cybersecurity community is now watching to see how Microsoft responds to this public pressure and whether it leads to substantive improvements in its researcher engagement programs. The outcome will likely influence how similar disputes are handled across the industry in the future.
(Source: BleepingComputer)
