Hours after Microsoft shipped the largest batch of security fixes in its history, a researcher published an exploit on GitHub, a ready-to-use technical flaw, that turns Windows Defender into the way in. Defender is the antivirus that ships built into nearly every Windows computer. And the flaw works on fully patched machines.
It is called RoguePlanet, and it is a zero-day, a vulnerability made public before any fix exists. The researcher, who goes by the alias Nightmare Eclipse, released it on June 10, on the afternoon of Patch Tuesday, the monthly day when Microsoft publishes its fixes. The irony is hard to miss: on the very day the company sealed hundreds of holes, a new one opened, and this one is out in the open.
What this means is bigger than one more security bulletin. The tool that exists to protect us has become the shortest path to compromising us. When an attacker does not need to defeat the defense but to turn it against the house, the word "patched" stops meaning "safe." That quiet guarantee is what RoguePlanet breaks.
How an ordinary user becomes an administrator
The attack is a race condition: a timing flaw between the moment Defender checks a file and the moment it acts on it. In that fraction of a second, the exploit swaps the file out from under the antivirus. Because Defender runs with the highest privileges on the system, known as SYSTEM privileges, the attacker's code inherits that total power.
The starting point is the chilling part. You do not need to be an administrator. A plain user account, with no special permissions, is enough to end up in full control of the machine. In security terms, that is privilege escalation. It affects patched Windows 10 and Windows 11; Windows Server escapes, thanks to a technical quirk that breaks the attack chain.
No CVE, no fix, and a standoff in the middle
The author himself admits the flaw is not foolproof. "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others," he wrote. Even so, other researchers confirmed it spawns a SYSTEM-level command prompt on systems carrying the June updates. As of now, there is no assigned CVE, the official identifier that catalogs each vulnerability, no advisory, and no fix for the root cause.
RoguePlanet did not come out of nowhere. It is the seventh in a series the same researcher has been dropping since April, with names like BlueHammer, RedSun and GreenPlasma. Several received CVEs, and at least three were exploited in real attacks. The motive he claims is a single one: retaliation against how Microsoft handles vulnerability disclosure and the rewards it pays those who report flaws. The company repeatedly removed his repositories from GitHub and GitLab, so he moved them to a server of his own.
Microsoft says it is "aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims," and it stands behind "coordinated vulnerability disclosure." Last month it had gone further, calling these public disclosures "never justifiable." Behind the duel, the math is simple: while the company and the researcher measure strength, the one left exposed is whoever uses a Windows PC every day.
For Portugal, this is not abstract. On May 25, the National Cybersecurity Centre had already issued an alert about another Windows Defender flaw from this same wave, under active exploitation and granting the same escalation to SYSTEM, urging an immediate update. Defender is the default antivirus in homes, companies and public services across the country. When the built-in defense trips, it trips for a lot of people at once.
How to cut your exposure
There is no magic button here, but there is ground to hold until the fix lands:
- Keep Windows and Defender on automatic updates. It does not stop RoguePlanet, but it closes the neighboring flaws from the same series that already have fixes.
- Work from a standard user account, not an administrator one. Most threats need a springboard to climb; the lower you start, the more steps an attacker has to clear.
- In a business setting, consider application allowlisting, meaning you only let approved software run. It was the defense experts pointed to for stopping this exploit specifically.
- Be suspicious of the initial way in. This flaw hands power to someone already inside; the odd attachment, the pirated installer and the rushed link are still how they get there.
For years we told people that being protected meant having the antivirus on and the system up to date. RoguePlanet shows that sentence needs a footnote. Security was never a product you install and forget; it is a habit you keep. And today, more than trusting the tool that defends us, it is worth asking who is using it.
Original source: The Hacker News.
#StaySafe
🙏🖖
