AI News AI资讯 1d ago Updated 23h ago 更新于 23小时前 49

Patch for Windows Defender 0-day could allow attackers to fill hard disk 修复Windows Defender零日漏洞的补丁可能导致攻击者填满硬盘

Microsoft's patch for the RoguePlanet vulnerability (CVE-2026-50656) contains a regression that allows attackers to exhaust disk space via unbounded file writes. The flaw stems from `mpengine.dll` caching `Zone.Identifier` alternative data streams without size limits, bypassing Defender's standard quarantine restrictions. Exploitation requires a custom SMB server to serve a malicious payload followed by a massive ADS file while keeping the connection alive to trigger the disk exhaustion. The inc 微软为修复Windows Defender中的零日漏洞CVE-2026-50656发布的补丁,意外引入了导致磁盘空间耗尽的风险。 安全研究员NightmareEclipse指出,新的“纵深防御”更新在mpengine.dll中引入了数据泄露问题,允许攻击者通过SMB协议触发无限文件写入。 利用该缺陷,攻击者可强制Defender缓存巨大的Zone.Identifier替代数据流文件,从而占满硬盘空间导致系统瘫痪。 此事件加剧了研究员与微软之间关于漏洞披露责任的长期公开冲突,微软尚未确认该行为是否存在。

75
Hot 热度
65
Quality 质量
70
Impact 影响力

Analysis 深度分析

TL;DR

  • Microsoft's patch for the RoguePlanet vulnerability (CVE-2026-50656) contains a regression that allows attackers to exhaust disk space via unbounded file writes.
  • The flaw stems from mpengine.dll caching Zone.Identifier alternative data streams without size limits, bypassing Defender's standard quarantine restrictions.
  • Exploitation requires a custom SMB server to serve a malicious payload followed by a massive ADS file while keeping the connection alive to trigger the disk exhaustion.
  • The incident highlights the risks of rapid "defense-in-depth" updates and ongoing tensions between Microsoft and the anonymous researcher NightmareEclipse.

Why It Matters

This case demonstrates how security patches can inadvertently introduce critical stability issues, specifically resource exhaustion attacks, undermining the very protection they aim to provide. For AI and security practitioners, it underscores the necessity of rigorous regression testing for security components, particularly those involving file I/O and network protocols like SMB. It also serves as a cautionary tale regarding the operational security and disclosure practices in high-stakes vulnerability research.

Technical Details

  • Vulnerability Mechanism: The Microsoft Malware Protection Engine (mpengine.dll) fails to enforce size limits when caching Zone.Identifier alternative data streams (ADS) for SpyNet reporting, unlike its handling of quarantined files.
  • Exploit Vector: Attackers use a custom SMB server to serve a file (e.g., mimikatz) and a subsequent massive ADS file. By refusing to complete the read request while maintaining the connection, the server forces Defender to hang and lock the file, consuming available disk space.
  • Affected Components: Windows Defender, specifically the interaction between the Malware Protection Engine and the SpyNet cloud reporting service.
  • Context: This is a side effect of a patch intended to fix CVE-2026-50656, a zero-day allowing remote code execution with administrative privileges even when real-time protection is disabled.

Industry Insight

  • Patch Management Rigor: Security vendors must implement strict resource-limiting tests in their update pipelines to prevent denial-of-service conditions caused by their own defensive mechanisms.
  • Researcher Relations: The ongoing conflict between Microsoft and NightmareEclipse illustrates the fragility of responsible disclosure ecosystems; aggressive posturing can lead to unpatched vulnerabilities being exploited or causing collateral damage through poorly vetted fixes.
  • SMB Security: Organizations should review SMB configurations and monitor for unusual file locking behaviors, as network file sharing protocols remain a potent attack surface for local privilege escalation and resource exhaustion.

TL;DR

  • 微软为修复Windows Defender中的零日漏洞CVE-2026-50656发布的补丁,意外引入了导致磁盘空间耗尽的风险。
  • 安全研究员NightmareEclipse指出,新的“纵深防御”更新在mpengine.dll中引入了数据泄露问题,允许攻击者通过SMB协议触发无限文件写入。
  • 利用该缺陷,攻击者可强制Defender缓存巨大的Zone.Identifier替代数据流文件,从而占满硬盘空间导致系统瘫痪。
  • 此事件加剧了研究员与微软之间关于漏洞披露责任的长期公开冲突,微软尚未确认该行为是否存在。

为什么值得看

该案例揭示了安全软件自身补丁可能引入严重可用性风险,提醒从业者在部署安全更新时需严格评估其对系统资源的影响。同时,它凸显了第三方安全组件(如Defender引擎)在处理外部输入时的边界条件缺陷,是理解现代端点保护架构脆弱性的典型实例。

技术解析

  • 漏洞根源:微软在修复CVE-2026-50656时添加了“纵深防御”更新,导致关联的Microsoft Malware Protection Engine驱动(mpengine.dll)在尝试打开文件时发生8字节数据泄露。
  • 异常行为机制:尽管Defender通常对隔离文件的写入大小有硬性限制,但SpyNet云服务功能存在例外逻辑,强制保留本地副本的Zone.Identifier替代数据流(ADS),且不受文件大小限制。
  • 攻击向量:攻击者需搭建自定义SMB服务器,提供恶意文件(如mimikatz)及巨大的ADS文件。当Defender扫描并读取这些文件时,若SMB服务器保持连接但不响应读取请求,Defender将挂起并锁定文件,持续占用磁盘空间直至耗尽。
  • 影响范围:受影响的系统包括Windows 10和Windows 11,即使实时保护被禁用,远程攻击者仍可获取管理员控制权,而此次补丁副作用则导致拒绝服务(DoS)。

行业启示

  • 补丁验证的重要性:安全厂商在发布紧急零日补丁时,必须对新增的安全缓解措施进行严格的回归测试,特别是针对资源消耗和边界条件的验证,防止“治标不治本”或引发新的可用性危机。
  • 供应链与第三方依赖风险:企业应意识到内置安全组件(如Defender)的复杂性带来的潜在风险,建议在重大更新前进行沙箱测试或监控磁盘I/O行为,以防范因安全软件异常导致的业务中断。
  • 漏洞披露生态的紧张关系:研究员与厂商之间的对抗性关系可能导致非预期的安全后果,行业需要建立更透明的沟通机制和责任框架,以确保漏洞修复过程既快速又稳健,避免将安全更新变成新的攻击面。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全