A freshly disclosed Windows zero-day dubbed “RoguePlanet” is making the rounds, and the mechanism is clever. The exploit targets a race condition inside Microsoft Defender—yes, the built-in antivirus—and leverages it to escalate from a normal user account all the way up to SYSTEM.
Race conditions are tricky bugs that happen when two processes try to access the same resource at nearly the same time, and the outcome depends on which one gets there first. Attackers can manipulate that timing to make a privileged process do something it shouldn’t—in this case, granting elevated access to an unprivileged caller. The fact that the attack surface is Defender itself adds insult to injury: the tool meant to protect the system becomes the entry point.
There’s no patch yet. If you’re running Windows, make sure you’ve got application whitelisting and behavioral detection layered on top of Defender, because signature-based scanning alone won’t catch a novel exploit like this. Keep an eye out for an emergency update from Redmond.
Source: SecurityWeek
