HomeMalware & ThreatsMicrosoft's Fix for Defender Zero-Day Faces New Criticism

Microsoft’s Fix for Defender Zero-Day Faces New Criticism

Published on

spot_img

Governance & Risk Management,
Patch Management

NightmareEclipse Discusses Potential Issues with Microsoft’s Mitigation Strategy

Microsoft’s Fix for Defender Zero-Day Faces New Criticism
Image: Microsoft/ISMG

Recent developments surrounding Microsoft’s handling of a critical vulnerability in its Defender security engine have drawn significant attention and criticism. An independent security researcher, known by the alias NightmareEclipse, has publicly expressed discontent regarding the company’s approach to vulnerability disclosures. The researcher made headlines on Thursday, criticizing Microsoft’s patch for a zero-day flaw referred to as RoguePlanet, which was disclosed in June.

This particular security flaw, tracked as CVE-2026-50656, allows remote attackers to gain administrative control over Windows Defender—a point of serious concern for many users and organizations reliant on this security tool. The patch was released on July 5, and NightmareEclipse was quick to highlight potential consequences of said patch, asserting that the mitigations may inadvertently lead to disk space exhaustion, application crashes, or even data leaks to unauthorized drivers.

This ongoing dispute emphasizes a larger narrative of frustration between the researcher and Microsoft. Between April and June, NightmareEclipse independently disclosed eight different zero-day vulnerabilities, citing a lack of responsiveness from the tech giant regarding prior reports. The researcher alleged that despite their efforts to follow Microsoft’s reporting protocols, they were met with silence and frustration, leading to their adverse reaction.

Microsoft’s response to these disclosures included strong denunciation and hints of legal action, which they later retracted. This back-and-forth highlights the tension inherent in the vulnerability disclosure process, wherein independent researchers often find themselves at odds with large corporations. The patch for RoguePlanet, which was rolled out a month after the initial disclosure, is said to be susceptible to exploitation via a custom Server Message Block (SMB) server. This server could interact with Defender in ways that could be harmful to users, as demonstrated by NightmareEclipse’s analysis.

According to the researcher, this potential exploit relies on a malicious file hosted on the SMB server, accompanied by an oversized zone.Identifier alternate data stream. The researcher’s assessment details how, during the process of responding to read requests, the SMB server could fail to reply correctly, leading to a situation where Defender hangs and locks access to affected files, effectively filling the entire disk space.

Furthermore, concerns arose regarding the SpyNet component—now known as Microsoft Active Protection Service—integral to Defender’s cloud-based protection features. NightmareEclipse focused on a bug within SpyNet, stating that the component attempts to keep a local copy of the :Zone.Identifier alternate data stream, regardless of its size. This mismanagement could not only exhaust disk space but also leak critical data during file access attempts.

NightmareEclipse, whose prior disclosures include vulnerabilities like RedSun, UnDefend, and numerous others, claims to have initially tried to comply with Microsoft’s vulnerability reporting guidelines. However, after feeling ignored and not receiving the expected bug bounty rewards, their frustration exploded into a series of public disclosures on platforms like GitHub and GitLab. Facing bans from both platforms, NightmareEclipse has since migrated to Project NightCrawler, a more independent code-hosting platform, to continue sharing their findings.

This ongoing saga underscores the complex relationship between independent researchers and major corporations in the cybersecurity landscape. It raises vital questions about transparency, management of vulnerabilities, and the implications for those working to improve system security. The ordeal serves as a reminder of the critical importance of open communication and recognition in fostering a collaborative approach to cybersecurity. As this situation continues to unfold, stakeholders across the ecosystem will undoubtedly be watching closely.

Source link

Latest articles

Top 10 Cloud Security Providers

As organizations increasingly transition critical applications and sensitive data to the cloud, the traditional...

New GigaWiper Malware Merges Espionage and Destructive Features

New Multi-Purpose Backdoor GigaWiper Emerges as a Major Threat A recent discovery by Microsoft has...

CrowdStrike Reports Five New Prompt Injection Threats to AI

Unwitting User Context-Data Injection: A New Threat to AI Security In the rapidly evolving landscape...

EU Increases Warrantless Mass Scanning of Messages

In a recent vote, the interim regulation aimed at implementing broad surveillance measures known...

More like this

Top 10 Cloud Security Providers

As organizations increasingly transition critical applications and sensitive data to the cloud, the traditional...

New GigaWiper Malware Merges Espionage and Destructive Features

New Multi-Purpose Backdoor GigaWiper Emerges as a Major Threat A recent discovery by Microsoft has...

CrowdStrike Reports Five New Prompt Injection Threats to AI

Unwitting User Context-Data Injection: A New Threat to AI Security In the rapidly evolving landscape...