Microsoft-Threatened Researcher Drops Seventh Windows Zero-Day

Security researcher "Chaotic Eclipse," who previously faced threats from Microsoft, has publicly released a seventh Windows zero-day exploit, dubbed "RoguePlanet." This disclosure came merely hours after the tech giant’s record-setting June Patch Tuesday, reigniting an escalating and contentious public dispute over vulnerability reporting.

The newly revealed RoguePlanet vulnerability grants attackers SYSTEM-level privileges on fully updated Windows 10 and 11 systems. This means that even machines that applied Microsoft’s latest patches remain susceptible to this particular exploit, underscoring a significant challenge in maintaining system security.

Unpacking the RoguePlanet Exploit

RoguePlanet specifically leverages a race condition within Windows Defender's internal processing logic, identified as a Time-of-Check to Time-of-Use (TOCTOU) flaw. This allows an unprivileged user to maliciously redirect a file operation, typically performed by Defender with SYSTEM privileges, to execute attacker-controlled code at the highest possible access level. The researcher noted that while the exploit can be "hit or miss," they achieved a 100% success rate on some test machines.

The viability of RoguePlanet has been independently confirmed by security firm ThreatLocker. Danny Jenkins, CEO of ThreatLocker, stated, "Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described." He also highlighted that implementing application allowlisting could prevent the exploit from successfully executing, offering a potential mitigation strategy.

A Deepening Feud with Microsoft

This public release marks the latest escalation in a bitter conflict between Chaotic Eclipse and Microsoft. The researcher claims these disclosures are in direct retaliation for Microsoft's aggressive handling of their previous vulnerability reports. This alleged behavior includes threats of criminal prosecution, the invocation of Microsoft's Digital Crimes Unit, and the revocation of Chaotic Eclipse’s access to their Microsoft Security Response Center (MSRC) account. Furthermore, the researcher stated that Microsoft had earlier proof-of-concept exploits removed from both GitHub and GitLab repositories.

Chaotic Eclipse has openly expressed deep frustration with Microsoft's approach, characterizing their actions as "childish games" and accusing the corporation of deliberately causing them distress throughout the disclosure process.

Patch Tuesday's Ironic Aftermath

The timing of RoguePlanet's release is particularly poignant, coinciding almost immediately after Microsoft's largest-ever June Patch Tuesday. This historic update cycle addressed an unprecedented 200 vulnerabilities, including 33 critical flaws and three zero-days that were already publicly known. However, RoguePlanet's emergence highlights a critical gap: despite this monumental patching effort, fully updated systems are immediately vulnerable to this new threat.

Of the seven zero-days disclosed by Chaotic Eclipse—BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma, and now RoguePlanet—only GreenPlasma and YellowKey were addressed in the recent Patch Tuesday. This leaves five other vulnerabilities previously reported by the researcher still unpatched, further fueling the ongoing dispute and the immediate risk to Windows users.

The Accelerating Cybersecurity Landscape

This incident underscores a broader trend in cybersecurity: the accelerating pace of vulnerability discovery. Industry analysts suggest that advancements in tools like AI-assisted code auditing are enabling researchers to identify flaws at an unprecedented rate. This creates a challenging environment where even the most comprehensive patching efforts struggle to keep pace with newly emerging threats, effectively placing defenders in a continuous uphill battle against an evolving landscape of vulnerabilities.

With RoguePlanet now publicly detailed, the immediate risk to Windows users persists, emphasizing the urgent need for a multi-layered defense strategy beyond traditional patching. The ongoing saga between Chaotic Eclipse and Microsoft continues to illuminate the complex dynamics of responsible disclosure and corporate responses in the critical cybersecurity domain.

FAQ

Q: What is RoguePlanet and what kind of vulnerability does it exploit?

A: RoguePlanet is the seventh Windows zero-day exploit released by security researcher Chaotic Eclipse. It exploits a race condition, specifically a Time-of-Check to Time-of-Use (TOCTOU) vulnerability, within Windows Defender's internal processing logic, allowing an unprivileged user to gain SYSTEM privileges.

Q: Why did Chaotic Eclipse release this zero-day publicly?

A: Chaotic Eclipse stated that the public disclosures are in retaliation for Microsoft's handling of the vulnerability reporting process. This includes Microsoft allegedly threatening criminal prosecution, invoking its Digital Crimes Unit, revoking the researcher's MSRC account access, and removing earlier exploit repositories from GitHub and GitLab.

Q: How does RoguePlanet impact users who have applied the latest Patch Tuesday updates?

A: RoguePlanet affects fully patched Windows 10 and 11 machines, meaning that even systems updated with Microsoft's record-setting June Patch Tuesday remain vulnerable to this specific zero-day. While Patch Tuesday addressed many issues, RoguePlanet was not among them, and five of Chaotic Eclipse's seven disclosed zero-days remain unpatched.