Microsoft Working To Patch 'RoguePlanet' Zero-Day (securityweek.com)
- Reference: 0183947262
- News link: https://it.slashdot.org/story/26/06/17/2030228/microsoft-working-to-patch-rogueplanet-zero-day
- Source link: https://www.securityweek.com/microsoft-working-on-patch-for-rogueplanet-zero-day/
> Microsoft on Wednesday published an [2]advisory acknowledging the public disclosure of a vulnerability in Defender that could lead to privilege escalation. The security defect, tracked as CVE-2026-50656 (CVSS score of 7.8), was dropped last week by security researcher Nightmare Eclipse (also known as Chaotic Eclipse). "We are [3]working to provide a high-quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available," Microsoft adds.
>
> RoguePlanet, Nightmare Eclipse explained last week, targets a race condition in Microsoft Defender and [4]allows attackers to gain System privileges . The researcher released a proof-of-concept (PoC) exploit that demonstrates local privilege escalation (LPE) on Windows 11 and Windows 10 systems with the June 2026 patches installed. [...] On Wednesday, Nightmare Eclipse [5]pointed out that the PoC works regardless of whether Defender's real-time protection is enabled or disabled. It may even work in passive mode, the researcher said.
[1] https://slashdot.org/~wiredmikey
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656
[3] https://www.securityweek.com/microsoft-working-on-patch-for-rogueplanet-zero-day/
[4] https://it.slashdot.org/story/26/06/10/2053232/microsoft-defender-rogueplanet-zero-day-grants-system-privileges
[5] https://blog.projectnightcrawler.dev/posts/2026-06-16-rogueplanet-another-quick-statement/
In Other Words (Score:2)
"the PoC works regardless of whether Defender's real-time protection is enabled or disabled. It may even work in passive mode"... so in other words, the application that was supposed to protect organizations actually became the attack vector. Awesome!
Re: (Score:2)
Incompetence at its finest!
more takedowns in the shadows too (Score:2)
Are they going to keep trying to takedown his repositories too?
Wow, a high quality security update (Score:2)
Is there such a thing as a low quality security update?
Re: (Score:2)
> Is there such a thing as a low quality security update?
Unfortunately yes, as some security update fixes turn out to not actually fix the entire set of issues that the vulnerability took advantage of (it might have fixed one avenue, but not all alternative avenues).
Re: (Score:2)
In Microsoft's case, yes, definitely.
Updates that don't fix the vulnerability, updates that create brand new vulnerabilities, updates that brick your hard drive, updates that wipe your data, we've seen them all.
Re: (Score:2)
> In Microsoft's case, yes, definitely.
While it is fashionable to pick on Microsoft (and they do deserve some shame), the Linux Kernel had many failures to fix the various copy-fail/dirty-fail variant vulnerabilities (a new fix once a day for a period of time) just a couple of weeks ago. No OS is immune from fixes that are not complete.
Re: (Score:2)
Yes, that's why they have to specify.
"Microsoft sucks" isn't just something you read in Slashdot comments anymore. This last year or two, the meme has gone fully mainstream. Starting with the Clownstrike thing (blamed on Microsoft, rightly or wrongly) and accelerating with the Windows 11 shitshow and the contemporary Copilot / cloud services force-feeding.
Their patches have gotten so bad in the vibe-coding era that even Susan From Accounting is starting to notice. She's afraid to update anything now. I don'
Bruh. More LPEs? I can't tell you how worried I am (Score:2)
I'm just not impressed yet. Out of all this "AI bug apocalypse" story, we've got one RCE in some FreeBSD NFSd bug (ie.. not enabled by default and very unlikely to be exposed to the internet) that the "AI Gods" have rained down fire on us with. I mean.... is that it? C'mon man, Anthropic said they'd found THOUSANDS in operating systems not just boring web applications or databases and they had the crypto signatures to prove it later (yet they only shared a few dozen of those, hmmkay). Sure, sure, patch the
Regression (Score:2)
So far MS has offered no excuses for the regression of multiple high severity fixes. This guy is reinforcing honesty and accountability. Some think MS can afford code reviews, duty programmers and people who can read dumps and backtrack. No lazy 'just the minimum'. In my day the author of the defective code, had other code reviewed and fixed. Sounds like this is not being done either. Fear not, AI will soon learn and target the commit tree by the weakest coder, by date of inexperience.
Re: (Score:2)
Also MS has a sneaky habit of reusing fix numbers, and sneaking in fixes willy nilly, so the number of patches does not look that bad. The Justification is to make it harder for hackers to see what was fixed. Unfortunately on darkweb, that is already done. Most lawful security experts do not have the time to troll forum's down the rabbit hole at their employers expense (or arbitrary budget).
This would be a nice CRA case (Score:2)
Unfortunately, the CRA only goes active end of 2027.