Microsoft Fix for Defender Zero-Day Draws Fresh Criticism

Governance & Risk Management
,
Patch Management

NightmareEclipse Says Mitigation Can Exhaust Disk Space, Crash Apps

Microsoft Fix for Defender Zero-Day Draws Fresh Criticism
Image: Microsoft/ISMG

An independent security researcher disgruntled with how Microsoft handled vulnerability disclosure on Thursday criticized the computing giant’s patch this week for a zero-day flaw in the Defender security engine that the researcher disclosed in June.

See Also: The End of Plausible Deniability: Data Privacy Compliance in 2026

The flaw, known as RoguePlanet and tracked as CVE-2026-50656, is one of the flaws that a researcher going by NightmareEclipse disclosed along with a proof-of-concept. It allows remote attackers to gain administrative control of Windows Defender. Microsoft released a patch Tuesday, and the anonymous researcher said Thursday the mitigations could cause the platform to exhaust the disk space, crash applications or leak data to drivers.

The dispute marks the latest episode of a vulnerability disclosure saga, in which the researcher independently released eight Microsoft zero-days between April and June after complaining that the computer giant ignored his disclosures. Microsoft hit back with denunciation and legal threats that it ultimately backed away from.

The patch for RoguePlanet, released a month after the vulnerability was disclosed, could be exploited with a custom server message block server that responds to requests from Defender, the researcher said. The server would host a malicious file and an oversized zone.Identifier alternate data stream, a hidden metadata stream Windows uses to record a file’s origin.

“In the process of replying to the read requests, at some point the SMB server should never respond to the read request but keep the connection alive,” the researcher said. “This will cause Defender to hang and keep a lock on the offending files that holds the entire disk space.”

The researcher said the potential exploit is caused by a bug in SpyNet, now known as Microsoft Active Protection Service, the telemetry component of Defender’s malware scanning engine that supports its cloud-based protection features.

“Apparently the Spynet functions in mpengine.dll really wants to keep a local copy of :Zone.Identifier ADS file and it does not matter how big this file is, Windows Defender will cache it locally anyways,” the researcher said.

The mitigations could also cause malware scanning engine to “leak 8 bytes of data while attempting to open a file in certain scenarios,” the researcher said.

NightmareEclipse previously disclosed RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma and MiniPlasma in April and May and continued the momentum with the release of GreatXML and RoguePlanet in June.

The researcher claimed to have played by Microsoft’s rules first but was ghosted and not paid bug bounties. The company also deleted the Microsoft Security Response Center account the researcher used to report bugs.

The infuriated researcher then went on a disclosure rampage on GitHub and GitLab, was banned from both platforms by Microsoft and has since moved the repositories detailing the vulnerabilities to Project NightCrawler, an independent code-hosting platform.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *