Forgot your password?
typodupeerror
Security Windows

Microsoft Defender 'RoguePlanet' Zero-Day Grants SYSTEM Privileges (bleepingcomputer.com) 35

A researcher using the name Nightmare Eclipse has released a new Microsoft Defender zero-day exploit called "RoguePlanet," which reportedly works on fully patched Windows 10 and 11 systems and can spawn a command prompt with SYSTEM privileges through a Defender race condition. The release came just hours after Microsoft fixed two previously disclosed flaws during its latest monthly Patch Tuesday drop -- its largest Patch Tuesday release ever. BleepingComputer reports: The researcher shared a proof-of-concept exploit on Tuesday afternoon in a self-hosted Git repository after saying that GitHub and GitLab repositories hosting their exploits had previously been removed by Microsoft. "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others," Nightmare Eclipse wrote in the repository.

[...] Cybersecurity firm ThreatLocker told BleepingComputer that they successfully reproduced the flaw in their testing and confirmed the exploit worked against fully patched Windows 11 systems with KB5094126 installed, and shared a video demonstrating it. "Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack," Danny Jenkins, CEO of ThreatLocker, told BleepingComputer.

According to Nightmare Eclipse, RoguePlanet was originally developed as a remote code execution vulnerability that exploited Microsoft Defender's handling of files hosted on remote SMB shares. "In initial development, it was confirmed that this vulnerability was a remote code execution," the researcher explained in a blog post. "It required an attacker to coerce a victim to open a .vhd(x) in a remote SMB server, succesful exploitation resulted in defender overwriting its own files and obviously the end outcome was an RCE."

The researcher says another attack scenario could lead to remote code execution simply by coercing a victim into opening an SMB share if symlink evaluation settings were enabled. However, the researcher claims Microsoft silently hardened Defender in mid-May by patching "mpengine!SysIO*" API, which blocked junction attacks. "Rewriting RoguePlanet to make it functional again drained my soul and I couldn't complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE," the researcher wrote.

This discussion has been archived. No new comments can be posted.

Microsoft Defender 'RoguePlanet' Zero-Day Grants SYSTEM Privileges

Comments Filter:
  • The description reads like many a ntlm/cifs exploit.....

  • "Rewriting RoguePlanet to make it functional again drained my soul and I couldn't complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE," the researcher wrote.

    Maybe try to get out more.

  • for updates. Microsoft must be loving the AI vulnerability scanning, lol.
  • these folks coming out of the woodwork to show us all of these new shiny vectors -- could it just be some insider spillin' 20 years worth of beans?
  • Hell Hath No Fury (Score:5, Insightful)

    by bill_mcgonigle ( 4333 ) * on Wednesday June 10, 2026 @10:46PM (#66185340) Homepage Journal

    like a bounty-seeker scorned.

    Shoulda just paid 'em.

    He sounds quite knowledgeable and it looks like he'll continue whipping Defender until morale improves.

    It's worth noting that the black market would pay handsomely for most of his discoveries but retribution is sweeter than cash.

    I get the sentiment.

    • by CRC'99 ( 96526 )

      Worst part, you can only screw a community so many times before they just decide not to play ball anymore.

      At that point, its almost impossible to restore the status quo - which is likely bad for everyone using MS kit at that point.

    • Regression (Score:2, Troll)

      by Canberra1 ( 3475749 )
      High severity bugfix regression was also disclosed. And has occurred several times. MS has not made a statement how this could have occurred. Its looking like managers get a bonus for not not properly dealing with the big ones. Or that Agile is afoot - yeah we tried, and ran out of time. All is good, no-one is likely to look.
      • by Gilmoure ( 18428 )

        Meeting middle-mangement scheduling goals looks good on your yearly performance review.

        Gotta score that 4% raise!

  • The Irony! Alanis Morrissette eat yer heart out.
    • by Gilmoure ( 18428 )

      An newer version of me
      Is she corrupted like me?
      Would she go down on you in a presentation?
      Does she sneak in quietly?
      And would she have your system privilages?
      I'm sure she'd make a really excellent doorstop.

      • Cause the bugs went unpaid for the mess MS made
        And he's not gonna fade just because they close their eyes
        And they know it
        And every time they patch the fails
        and refuse to pay him back, he hopes they feel it
        Well, can you feel it?

        Cuz he's here to remind you
        Of the mess you made for the bugs unpaid
        It's not fair to deny him
        The cost that's fair for a bounty paid
        You, you, you oughta know
  • The person(s) behind this series of disclosures are clearly highly intelligent, knowledgeable, and industrious. Microsoft should be paying them the minimal acceptable bug bounty -- per bug, which is this case is $1M USD. (Anything less than that is an insult.) But of course Microsoft is far too accustomed to lying, cheating, and screwing other people, it's so embedded in their corporate culture, that it has never occurred to them to even try to do the right thing.

    Now to turn my attention to the Subjec
    • by gweihir ( 88907 )

      MS has stacked tech debt on tech debt and never even tried to make a good product. I doubt they even have any real idea what a good product would look like. That they are crooks is just the icing on the cake.

      As it is now, not only Windows is fundamentally broken and cannot be fixed. Their cloud got hacked several times. AD is always vulnerable in some way. They went "all in" on the crappy LLM-type AI. They are done for. They cannot really fix anything, their products just will get worse and worse until tota

  • It was said you'd DESTROY the 'sploits, not join them...
  • Stack tech-debt sky-high, build a house of cards, never really fix or simplify anything and that is what you get: A ruin that can only be torn down. That this is what they did is becoming more and more obvious at the moment. Windows very likely cannot be fixed anymore. Mindless greed does things like that.

    • by Gilmoure ( 18428 )

      Spin up a *nix and run M$ Apps in containers?

      • by gweihir ( 88907 )

        While they phone home? That does not help much for security. And it does nothing for all the other problems.

    • by geek ( 5680 )

      It can be fixed, they just won't do it. Microsoft has fought internally over various technologies for decades, between win32 and .Net and all the shit in-between. They never standardized like Apple did which left them entrenched in technical debt. They could, today, start a standardization process, build out a new and modern tech stack, advise their devs to migrate to that, then set a date with the cut off. Apple's success at this is a model for anyone to follow. They just won't due to internal fighting.

      Eve

      • by gweihir ( 88907 )

        It can be fixed

        That may well not be true. At a certain level of complexity, fixing anything means a redesign and reimplementation because anything else has exceeded the complexity that can be handled. That is the core reason why you want to keep technological debt as low as possible. Otherwise, at some point, you can just throw things away and start over. Microsoft has likely reached that point quite a while ago. Sure, if they could stop all development for, say, 10 years, and if they fire everybody responsible for the cu

        • by geek ( 5680 )

          I disagree. Apple went from OS9 to OSX, a completely new codebase by creating new frameworks for devs and a translation layer for old apps (Remember Cocoa, Rosetta, Carbon?). They then phased the old out while providing documentation and tools for devs to move. It's perfectly doable with very clear cases of it being done. Microsoft simply refuses to do it.

          Apple's even done this while switching from PPC to Intel and then to ARM. There is no technological barrier here, it's all organizational and cultural at

          • by gweihir ( 88907 )

            OSX is based on FreeBSD. They did not do a reimplementation, they just added the easy parts. And basing things on FreeBSD is also the thing that allows Apple to switch CPU architecture. Because they get that almost for free. And that is why they could do it so fast. Sure, theoretically MS could do the same, but they are not organizationally capable of even thinking that they may have screwed up enough to make that step the only way out.

            Also refer to countless large-scale software projects that have failed o

            • by geek ( 5680 )

              OSX is based on FreeBSD. They did not do a reimplementation, they just added the easy parts. And basing things on FreeBSD is also the thing that allows Apple to switch CPU architecture. Because they get that almost for free. And that is why they could do it so fast. Sure, theoretically MS could do the same, but they are not organizationally capable of even thinking that they may have screwed up enough to make that step the only way out.

              Also refer to countless large-scale software projects that have failed or are in a bad state but cannot be fixed.

              Why are you arguing? Your post just proved my whole point. Also it's not based on FreeBSD, it utilized the FreeBSD user space while doing their own kernel, Darwin. You keep stating "can't be fixed" as if it's some fact, while simultaneously acknowledging others have, in fact, fixed these issues in the past. Let it go.

              • by gweihir ( 88907 )

                You are arguing from faulty data. And, apparently, you have no real clue about software project complexity, cost and time needed.

        • Microsoft tried to ditch the technical debt twice, and it almost cost them their business each time.

          WinRT, along with the mandate that all applications be UWP, was meant to be the foundation of that. Once migrated, the legacy plumbing could have been ripped out from underneath, but doing so took away the entire point of using Windows in the first place, and so consumers rejected it. Forcing it any further would have resulted in a mass exodus to anything that isn't completely crippled in terms of applicat
          • by gweihir ( 88907 )

            Well, their tech-debt is killing them now, just slowly. The most imminent threat is that the EU finds out how much better the alternatives really are and then the floodgates may open. High revenue (which MS has, minus the LLM insanity or the failing xbox) is no assurance of longer-term survival, even if business grads are apparently not taught that fact.

  • ...hmmm...not able to secure a security tool...what are we even doing? I guess cyber theatre rolls on.
  • If Ukraine did nothing they would have been taken over, another nation would likely have been threatened, and we would likely be debating drones being used by THAT nation to kill Russians by now.

"I shall expect a chemical cure for psychopathic behavior by 10 A.M. tomorrow, or I'll have your guts for spaghetti." -- a comic panel by Cotham

Working...