Microsoft Defender zero-day disclosure escalates researcher frustration with vulnerability handling
A researcher calling themselves 'Chaotic Eclipse' has published a proof-of-concept exploit for 'RedSun', a second Microsoft Defender zero-day discovered in recent weeks. The public disclosure appears motivated by protest over Microsoft's vulnerability coordination practices.
Affected
The publication of a RedSun proof-of-concept by 'Chaotic Eclipse' represents an escalation in researcher-vendor tensions around vulnerability coordination. The researcher has published working exploit code for a Microsoft Defender flaw that grants SYSTEM-level privileges, a capability that elevates the practical threat significantly. This is the second Microsoft Defender zero-day from the same researcher within a fortnight, suggesting either a concentrated discovery effort or deliberate batching for dramatic effect.
The technical severity stems from the privilege escalation vector. An attacker with local access (or remote code execution as an unprivileged user) could leverage RedSun to obtain SYSTEM privileges, granting near-total control of an affected system. Microsoft Defender runs at high privilege levels by design, making it an attractive target for local privilege escalation exploits. The presence of working PoC code in the wild dramatically shortens the window for defenders and increases likelihood of weaponisation.
The disclosure strategy itself signals broken communication between this researcher and Microsoft. Public PoC publication is typically reserved as a last resort after failed coordination attempts. The phrasing around 'protesting how the company works with cybersecurity researchers' suggests Microsoft either ignored reports, refused to acknowledge severity, or moved too slowly through their vulnerability management process. This mirrors patterns seen with other vendors where researchers feel their detailed reports are deprioritised.
Organisations running Microsoft Defender require immediate assessment of whether they are affected and should monitor for emergency guidance from Microsoft. The presence of working exploit code means patching becomes urgent rather than routine. Security teams should also review their SYSTEM-process integrity monitoring and consider whether attack surface reduction rules or kernel-mode protections can limit the impact of local privilege escalation attempts.
The broader implication is that Microsoft's vulnerability coordination process may need visible revision. Repeated public PoC disclosure from frustrated researchers often accelerates vendor patching timelines but erodes the goodwill necessary for responsible disclosure to function. This incident also signals that Defender, as a core security product, remains an attractive research target and that defenders cannot assume Microsoft's own security products are immune to serious privilege escalation flaws.
Sources