A patch Microsoft launched on Wednesday to repair a zero-day vulnerability in its Defender safety engine might trigger Home windows machines to jot down recordsdata massive sufficient to utterly eat obtainable disk area, the researcher who found the flaw stated.
RoguePlanet, tracked as CVE-2026-50656, got here to public discover in June when NightmareEclipse, the pseudonymous identify utilized by a researcher, disclosed it together with code for exploiting it. The vulnerability permits distant attackers to achieve administrative management of Home windows 10 and Home windows 11 machines, even when real-time safety has been disabled. Over the previous few months, the nameless researcher has printed a handful of different zero-days which have despatched Microsoft scrambling to develop patches.
Writing recordsdata of limitless dimension
Microsoft stated Wednesday that it patched RoguePlanet with an replace to the Microsoft Malware Safety Engine, which is utilized by the Defender antivirus app. The repair will routinely be downloaded and put in with out customers having to take any motion. Wednesday’s replace additionally contains “defense-in-depth updates to assist enhance security-related options.”
In a put up on Thursday, NightmareEclipse stated the defense-in-depth additions produce conduct that will enable attackers to exhaust all obtainable area on a tough drive by writing huge quantities of information to it. The newly launched mitigations create an issue in mpengine.dll, the driving force related to the Microsoft Malware Safety Engine, that in some instances causes it to leak 8 bytes of information when making an attempt to open a file. New performance in SpyNet, a cloud service that permits Microsoft Safety Necessities or Forefront Endpoint Safety to ship reviews about suspicious software program and applications to Microsoft, additionally performs a task within the potential mass file-writing conduct.
Defender usually locations exhausting limits on how massive a file will be written to disk when scanning and quarantining a machine.
“This implementation make [sic] sense, as a result of quarantining an enormous file will trigger Defender to utterly exhaust the obtainable disk area,” the researcher wrote. “I discovered a small exception to this rule, apparently the spynet features in mpengine.dll actually desires [sic] to maintain a neighborhood copy of Zone.Identifier ADS file and it doesn’t matter how massive this file is, Home windows Defender will cache it regionally in any case.”










Leave a Reply