Patch for Windows Defender 0-day could allow attackers to fill hard disk
Patch for Windows Defender 0-day could allow attackers to fill hard disk
Windows Defender 零日漏洞补丁可能导致攻击者填满硬盘空间
A patch Microsoft released on Wednesday to fix a zero-day vulnerability in its Defender security engine may cause Windows machines to write files large enough to completely consume available disk space, the researcher who discovered the flaw said. 微软周三发布了一个补丁,旨在修复其 Defender 安全引擎中的一个零日漏洞。然而,发现该漏洞的研究人员表示,此补丁可能会导致 Windows 机器写入巨大的文件,从而耗尽所有可用磁盘空间。
RoguePlanet, tracked as CVE-2026-50656, came to public notice in June when NightmareEclipse, the pseudonymous name used by a researcher, disclosed it along with code for exploiting it. The vulnerability allows remote attackers to gain administrative control of Windows 10 and Windows 11 machines, even when real-time protection has been disabled. Over the past few months, the anonymous researcher has published a handful of other zero-days that have sent Microsoft scrambling to develop patches. RoguePlanet(编号为 CVE-2026-50656)于今年 6 月进入公众视野,当时化名为 NightmareEclipse 的研究人员披露了该漏洞及其利用代码。该漏洞允许远程攻击者获取 Windows 10 和 Windows 11 机器的管理员权限,即使在实时保护功能被禁用的情况下也是如此。在过去的几个月里,这位匿名研究人员还发布了其他几个零日漏洞,迫使微软忙于开发补丁。
Writing files of unlimited size
写入无限大小的文件
Microsoft said Wednesday that it patched RoguePlanet with an update to the Microsoft Malware Protection Engine, which is used by the Defender antivirus app. The fix will automatically be downloaded and installed without users having to take any action. Wednesday’s update also includes “defense-in-depth updates to help improve security-related features.” 微软周三表示,已通过更新 Microsoft Malware Protection Engine(Defender 防病毒应用所使用的引擎)修复了 RoguePlanet 漏洞。该修复程序将自动下载并安装,用户无需进行任何操作。周三的更新还包括“旨在帮助改进安全相关功能的深度防御更新”。
In a post on Thursday, NightmareEclipse said the defense-in-depth additions produce behavior that may allow attackers to exhaust all available space on a hard drive by writing massive amounts of data to it. The newly introduced mitigations create a problem in mpengine.dll, the driver associated with the Microsoft Malware Protection Engine, that in some cases causes it to leak 8 bytes of data when trying to open a file. NightmareEclipse 在周四的一篇文章中表示,这些深度防御更新产生了一种行为,可能允许攻击者通过写入海量数据来耗尽硬盘上的所有可用空间。新引入的缓解措施在 mpengine.dll(与 Microsoft Malware Protection Engine 关联的驱动程序)中引发了一个问题,在某些情况下,该驱动程序在尝试打开文件时会泄漏 8 字节的数据。
New functionality in SpyNet, a cloud service that allows Microsoft Security Essentials or Forefront Endpoint Protection to send reports about suspicious software and programs to Microsoft, also plays a role in the potential mass file-writing behavior. Defender normally places hard limits on how big a file can be written to disk when scanning and quarantining a machine. SpyNet 中的新功能也在这种潜在的大规模文件写入行为中起到了作用。SpyNet 是一项云服务,允许 Microsoft Security Essentials 或 Forefront Endpoint Protection 向微软发送有关可疑软件和程序的报告。通常情况下,Defender 在扫描和隔离机器时,会对写入磁盘的文件大小设置严格限制。
“This implementation make [sic] sense, because quarantining a huge file will cause Defender to completely exhaust the available disk space,” the researcher wrote. “I found a small exception to this rule, apparently the spynet functions in mpengine.dll really wants [sic] to keep a local copy of Zone.Identifier ADS file and it does not matter how big this file is, Windows Defender will cache it locally anyways.” “这种实现方式是有道理的,因为隔离一个巨大的文件会导致 Defender 完全耗尽可用磁盘空间,”该研究人员写道。“我发现了这个规则的一个小例外,显然 mpengine.dll 中的 SpyNet 功能确实想要保留 Zone.Identifier ADS 文件的本地副本,无论这个文件有多大,Windows Defender 都会将其缓存在本地。”
A Zone.Identifier is a hidden metadata file, sometimes called an alternative data stream, that Windows automatically associates with files downloaded from the Internet or received in email or other external sources. The data stream allows Windows to mark the file’s origin and the security zone it should receive. Zone.Identifier 是一种隐藏的元数据文件,有时被称为“备用数据流”(Alternative Data Stream),Windows 会自动将其与从互联网下载或通过电子邮件及其他外部来源接收的文件关联起来。该数据流允许 Windows 标记文件的来源及其应归属的安全区域。
NightmareEclipse said that a malicious actor could trigger this behavior using Server Message Block, a communications protocol for sharing files over a local Windows network. The researcher explained: You will need a special setup to exploit this, a custom SMB server that will be handling requests from Windows Defender is needed, the SMB server should serve a malicious file (a good example is mimikatz executable) followed by a massive ADS file (a good example is mimikatz.exe:Zone.Identifier), in the process of replying to the read requests, at some point the SMB server should never respond to the read request but keep the connection alive. This will cause Defender to hang and keep a lock on the offending files that holds the entire disk space. Obviously this won’t crash the machine but windows won’t behave properly with a full disk, multiple apps and services crash randomly. NightmareEclipse 表示,恶意行为者可以使用服务器消息块(SMB,一种用于在本地 Windows 网络上共享文件的通信协议)来触发此行为。该研究人员解释道:你需要一个特殊的设置来利用这一点,即需要一个处理来自 Windows Defender 请求的自定义 SMB 服务器。该 SMB 服务器应提供一个恶意文件(例如 mimikatz 可执行文件),随后是一个巨大的 ADS 文件(例如 mimikatz.exe:Zone.Identifier)。在响应读取请求的过程中,SMB 服务器在某个时刻应停止响应读取请求,但保持连接活跃。这将导致 Defender 挂起,并锁定占用整个磁盘空间的违规文件。显然,这不会导致机器崩溃,但磁盘空间占满后 Windows 将无法正常运行,多个应用程序和服务会随机崩溃。
Microsoft didn’t immediately answer questions asking if it could confirm the described behavior existed. NightmareEclipse and Microsoft have been locked in a heated dispute since at least May, when the researcher said Microsoft silently patched a vulnerability the researcher had privately reported. In the weeks following, the researcher released details and exploit code for a handful of vulnerabilities before Microsoft had a chance to patch them. 微软没有立即回答有关其是否能确认上述行为存在的问题。自至少 5 月以来,NightmareEclipse 与微软一直处于激烈的争执中,当时该研究人员称微软悄悄修复了他私下报告的一个漏洞。在随后的几周里,该研究人员在微软有机会修复之前,发布了多个漏洞的详细信息和利用代码。
Microsoft, in turn, has publicly railed against the researcher for “not responsibly” disclosing the vulnerabilities and made a veiled reference to the possibility of pursuing legal action. After a public backlash, Microsoft relented and vowed no such legal action would occur. Thursday’s salvo suggests that the feud has yet to be resolved. 作为回应,微软公开指责该研究人员“不负责任”地披露漏洞,并含蓄地提到了采取法律行动的可能性。在引发公众强烈反对后,微软做出让步,承诺不会采取此类法律行动。周四的这一轮交锋表明,双方的争端尚未解决。