Microsoft Defender Zero-Day Exploit “RoguePlanet” Circulates Despite Patch Tuesday Fixes
A researcher known as Nightmare Eclipse has released a proof-of-concept exploit called “RoguePlanet” targeting Microsoft Defender, according to BleepingComputer. The vulnerability allegedly allows attackers to spawn a command prompt with SYSTEM privileges on fully patched Windows 10 and 11 systems through a Defender race condition. This development occurred just hours after Microsoft addressed two previously disclosed flaws during its May 2024 Patch Tuesday update, its largest release to date.
How Does RoguePlanet Work?
The exploit leverages a race condition in Microsoft Defender, enabling unauthorized access to elevated privileges. Nightmare Eclipse described the flaw as a “hit or miss,” achieving a 100% success rate on some machines but struggling on others. The researcher initially developed the exploit as a remote code execution (RCE) vulnerability that required victims to open a .vhd(x) file from a remote SMB share. However, Microsoft addressed this vector in mid-May by patching the “mpengine!SysIO*” API, which blocked junction attacks.
What Do Security Firms Say?
Cybersecurity firm ThreatLocker confirmed the exploit’s viability, reproducing the flaw in testing against Windows 11 systems with the latest patches (KB5094126). “Organizations using application allowlisting can prevent the exploit from executing,” stated Danny Jenkins, CEO of ThreatLocker. The firm shared a video demonstrating the attack, highlighting the need for layered security measures.
What Are the Implications for Users?
The release of RoguePlanet underscores the challenges of securing complex software ecosystems. Microsoft’s Patch Tuesday fixes did not address this specific vulnerability, leaving users reliant on additional safeguards. Experts recommend enabling application allowlisting and monitoring SMB share access to mitigate risks. The exploit also raises questions about the effectiveness of race condition patches, as noted by cybersecurity analysts.
Why Does This Matter?
This incident follows a pattern of zero-day disclosures that outpace traditional patch cycles. In 2023, a similar Defender vulnerability (CVE-2023-21706) allowed privilege escalation, prompting Microsoft to update its threat intelligence frameworks. RoguePlanet’s emergence highlights the ongoing arms race between exploit developers and defenders, particularly as attackers increasingly target endpoint protection software.