TL; DR
Chaotic Eclipse released RoguePlanet, its seventh Windows zero-day, just hours after Microsoft’s record Patch Tuesday. Gives SYSTEM access on fully patched machines.
Chaotic Eclipse, security researcher Microsoft has threatened criminal prosecutionpublished the seventh Windows zero-day exploit. Called RoguePlanet, it grants SYSTEM privileges to attackers on fully patched Windows 10 and 11 machines. The researcher released the proof-of-concept just hours after Microsoft shipped its June Patch Tuesday update, which fixes more than 200 vulnerabilities.
RoguePlanet uses a race condition in Windows Defender’s internal processing logic. Specifically, it’s a Time-of-Operation Control (TOCTOU) vulnerability. An unprivileged user can redirect a file operation performed by Defender running as SYSTEM to execute code controlled by an attacker at the highest privilege level.
“Exploitation is a race condition, so it’s hit or miss,said the researcher.On some machines I was able to get a 100% success rate, on others I struggled to get it to work.“
💜 of EU technology
The latest rumblings from the EU tech scene, a story from our wise founder Boris and some questionable AI art. Free in your inbox every week. Register now!
Security firm ThreatLocker has confirmed that the flaw is working and released a video demonstration. “Our initial analysis confirms that the RoguePlanet exploit is valid and works as described,CEO Danny Jenkins said. He added that an app’s whitelist could prevent an exploit from running.
The proof-of-concept was published on its own Git repository after the researcher said Microsoft had removed both the GitHub and GitLab repositories that hosted the previous work. It’s part of an escalating debate. Microsoft Launches Digital Crimes Unit against the researcher and revoked access to their Microsoft Security Response Center account.
Chaotic Eclipse has released seven zero days over the course of several months: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma, and now RoguePlanet. Microsoft’s June Patch Tuesday fixed two of them, GreenPlasma and YellowKey, but the rest were not fixed. The researcher says the revelations are retaliation for how Microsoft handled the process.
“They mopped the floor with me and pulled every child’s play they could,The researcher wrote.I wondered if I was dealing with a huge corporation or someone who was having fun watching me suffer.“
Timing is noted. Microsoft’s June Patch Tuesday was the largest yet, fixing 200 vulnerabilities, including 33 critical and three publicly disclosed zero-days. Analysts attribute the growth in part to AI-powered code auditing find vulnerabilities faster rather than defenders patching them up. Coming just hours after the record update, RoguePlanet underscores the gap: even the biggest patch cycle in Microsoft’s history was immediately outdated for anyone running Windows Defender.
