AI Security AI安全 1d ago Updated 1d ago 更新于 1天前 42

Microsoft Patches RoguePlanet Defender Flaw That Can Grant SYSTEM Privileges 微软修复了可授予SYSTEM权限的RoguePlanet Defender漏洞

Microsoft patched CVE-2026-50656, a critical privilege escalation vulnerability in the Microsoft Malware Protection Engine (mpengine.dll) dubbed "RoguePlanet." The flaw allows attackers to spawn a shell with SYSTEM-level privileges via a race condition, bypassing both real-time protection and standard defenses. Discovered by researcher Chaotic Eclipse, this is the fourth Defender vulnerability from this source, following BlueHammer, UnDefend, and RedSun. The fix is included in Microsoft Malware 微软修复了Microsoft Defender中的“RoguePlanet”漏洞(CVE-2026-50656),该漏洞可导致SYSTEM权限提升。 漏洞根源在于恶意软件保护引擎(mpengine.dll)中的竞态条件,CVSS评分为7.8。 该漏洞由安全研究员Chaotic Eclipse披露,可在实时保护开启或关闭的情况下利用。 微软表示无需用户手动操作,默认配置会自动更新引擎以防御此威胁。 这是该研究员披露的第四个Defender漏洞,此前三个(BlueHammer, UnDefend, RedSun)均已修复。

65
Hot 热度
60
Quality 质量
55
Impact 影响力

Analysis 深度分析

TL;DR

  • Microsoft patched CVE-2026-50656, a critical privilege escalation vulnerability in the Microsoft Malware Protection Engine (mpengine.dll) dubbed "RoguePlanet."
  • The flaw allows attackers to spawn a shell with SYSTEM-level privileges via a race condition, bypassing both real-time protection and standard defenses.
  • Discovered by researcher Chaotic Eclipse, this is the fourth Defender vulnerability from this source, following BlueHammer, UnDefend, and RedSun.
  • The fix is included in Microsoft Malware Protection Engine version 1.1.26060.3008, with automatic updates ensuring most users are protected without manual intervention.

Why It Matters

This vulnerability highlights a significant risk in endpoint security infrastructure, where the tool designed to protect systems can be exploited to gain the highest level of administrative control. For security practitioners, it underscores the importance of monitoring for race conditions in core security engines and the potential for zero-day exploits to bypass real-time protection mechanisms entirely.

Technical Details

  • Vulnerability Type: Race condition leading to privilege escalation within mpengine.dll.
  • Impact: Grants SYSTEM-level access, allowing arbitrary code execution and unauthorized actions.
  • CVSS Score: 7.8 (High).
  • Affected Component: Microsoft Malware Protection Engine, specifically versions prior to 1.1.26060.3008.
  • Exploit Characteristics: Works on up-to-date Windows systems with June 2026 Patch Tuesday updates; effective regardless of whether real-time protection is enabled.

Industry Insight

  • Organizations should verify that their Microsoft Malware Protection Engines are updated to version 1.1.26060.3008 or later, even though automatic updates are typically enabled by default.
  • Security teams should review patch management strategies for core security components, as vulnerabilities in antivirus engines pose a higher risk than typical application flaws due to their privileged nature.
  • The recurrence of similar high-severity vulnerabilities in Defender suggests a need for rigorous code auditing focused on concurrency issues and race conditions in security-critical software.

TL;DR

  • 微软修复了Microsoft Defender中的“RoguePlanet”漏洞(CVE-2026-50656),该漏洞可导致SYSTEM权限提升。
  • 漏洞根源在于恶意软件保护引擎(mpengine.dll)中的竞态条件,CVSS评分为7.8。
  • 该漏洞由安全研究员Chaotic Eclipse披露,可在实时保护开启或关闭的情况下利用。
  • 微软表示无需用户手动操作,默认配置会自动更新引擎以防御此威胁。
  • 这是该研究员披露的第四个Defender漏洞,此前三个(BlueHammer, UnDefend, RedSun)均已修复。

为什么值得看

本文揭示了Microsoft Defender核心组件存在严重的权限提升风险,即使作为安全防护软件的自身也可能成为攻击入口。对于企业安全团队而言,这强调了即使依赖默认自动更新机制,也需关注底层引擎的安全性和补丁响应速度,特别是在面对已知且被广泛利用的竞态条件漏洞时。

技术解析

  • 漏洞详情:CVE-2026-50656,位于Microsoft Malware Protection Engine (mpengine.dll)中,属于权限提升类漏洞,CVSS评分7.8。
  • 利用方式:通过触发竞态条件(Race Condition),攻击者可以生成具有SYSTEM级别权限的Shell,从而执行任意代码或进行未授权操作。
  • 影响范围:适用于安装了2026年6月Patch Tuesday更新的最新Windows系统。关键在于该利用不依赖于实时保护是否开启,意味着离线或禁用实时防护的系统同样脆弱。
  • 修复版本:Microsoft Malware Protection Engine版本1.1.26060.3008已包含修复及深度防御加固措施。
  • 背景关联:此为研究员Chaotic Eclipse发现的第四个Defender漏洞,显示该组件可能存在系统性安全挑战。

行业启示

  • 安全软件的信任边界:即使是核心的防病毒引擎也存在被利用的风险,企业应意识到“安全工具”本身可能成为攻击面,需定期审查其配置和更新状态。
  • 自动化更新的重要性:微软强调默认配置下的自动更新机制能有效缓解此类威胁,这验证了在缺乏手动干预能力的情况下,强制或默认启用自动安全更新是降低风险的关键策略。
  • 持续监控与补丁管理:鉴于该漏洞在披露近一个月后才被官方正式修补,且此前已有多个同类漏洞被发现,组织应建立更敏捷的漏洞响应流程,缩短从披露到部署补丁的时间窗口。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全