Microsoft's Own Security Tool Weaponized In Shocking New Attack
By 813 Staff
Breaking from the tech world: Microsoft's Own Security Tool Weaponized In Shocking New Attack, according to BleepingComputer (@BleepinComputer) (tonight).
Source: https://x.com/BleepinComputer/status/2044873404528943228
A single command prompt, typed into a local Windows terminal, is all it took to elevate a user to the highest level of system authority. That’s the stark reality of a newly disclosed proof-of-concept exploit targeting a component within Microsoft Defender, codenamed “RedSun,” which security researchers have confirmed grants attackers full SYSTEM privileges. The vulnerability, detailed in a report by BleepingComputer (@BleepinComputer), represents a critical failure in a security product designed to be the last line of defense, turning it into a potent weapon for privilege escalation. Internal documents show the RedSun module was part of a recent, aggressive push to integrate advanced behavioral detection directly into the Windows kernel, a move that now appears to have backfired spectacularly.
The flaw resides in how the Defender RedSun engine handles certain memory operations when parsing malicious file signatures. Engineers close to the project say the module’s deep integration with the core operating system, intended to catch fileless malware, inadvertently created an unprotected pathway. By crafting a specific sequence of data, an attacker with low-level user access can trigger the flaw, causing the Defender service itself to execute arbitrary code with unrestricted SYSTEM rights. This would allow a threat actor to install persistent malware, disable security tools entirely, or move laterally across a corporate network. The proof-of-concept code is now circulating in restricted security forums, increasing the pressure on Microsoft to act before it is weaponized in real-world attacks.
For enterprise security teams, this is a worst-case scenario unfolding in a core Microsoft service. The rollout of RedSun has been anything but smooth, with early adopters reporting stability issues, but the discovery of a zero-day privilege escalation elevates the situation to a full-blown crisis. It undermines the foundational principle of endpoint security: that the protector cannot be compromised to attack the host. Every system with the latest Defender updates, which are often pushed automatically, is potentially vulnerable until a patch is applied. The impact is particularly severe for managed service providers and large organizations where Microsoft Defender is the mandated, centralized security platform.
What happens next hinges on Microsoft’s response time. The company has been notified and is reportedly working on an emergency patch, but the timeline for its release remains uncertain. The dangerous period between disclosure and patch deployment—often called the “vulnerability window”—is now open. System administrators are advised to monitor for any anomalous behavior related to the Antimalware Service Executable (MsMpEng.exe) and to apply the official fix immediately upon release. Until then, the very software trusted to keep millions of machines safe carries a latent, and now publicly known, danger within its own code.
Source: https://x.com/BleepinComputer/status/2044873404528943228
