Microsoft Defender's 'RedSun' zero-day: A researcher's protest and a threat to Windows systems

Introduction: A Zero-Day with a Message

In early November 2023, the cybersecurity community was put on high alert by the public disclosure of a zero-day vulnerability in Microsoft Defender, the default antivirus solution for hundreds of millions of Windows users. Dubbed "RedSun" by its discoverer, researcher Abdelhamid Naceri (also known as "Chaotic Eclipse"), the flaw allowed a local attacker to escalate their privileges to SYSTEM, effectively gaining complete control over a targeted machine. This wasn't just another vulnerability report; it was a public statement. RedSun marked the second critical Defender bug Naceri had published a proof-of-concept (PoC) for in as many weeks, a move he described as a protest against Microsoft's bug bounty program and its handling of security submissions.

The incident highlights a persistent tension between independent security researchers and technology giants, raising critical questions about responsible disclosure, researcher compensation, and the security of core system components. For enterprise defenders and individual users alike, RedSun serves as a stark reminder that even the tools designed to protect us can become attack vectors.

Technical Analysis: Abusing Trust with NTFS Junctions

At its core, RedSun (officially tracked as CVE-2023-36036) is a Local Privilege Escalation (LPE) vulnerability. This means an attacker who has already gained initial, low-level access to a system—perhaps through a phishing email or another exploit—can leverage RedSun to elevate their permissions to the highest level, NT AUTHORITY\SYSTEM. Gaining SYSTEM privileges is the endgame for many attackers on a local machine, as it allows them to disable security controls, install persistent malware like rootkits, and access any data on the device.

The exploit chain is a clever manipulation of file system operations and the trusted status of Microsoft Defender's core process, MsMpEng.exe. According to Naceri's publicly released PoC on GitHub, the attack unfolds in several steps:

1. Arbitrary File Deletion: The vulnerability grants an attacker the ability to delete arbitrary files, even those protected by SYSTEM-level permissions. This is the entry point for the exploit.
2. Targeting Defender's Files: The attacker targets a specific file that the MsMpEng.exe service uses during its operations and deletes it.
3. NTFS Junction Point Abuse: This is the crucial step. After deleting the target file, the attacker creates an NTFS junction point where the file used to be. A junction point is similar to a shortcut, but it operates at the file system level, transparently redirecting any process that tries to access the original path. The attacker sets this junction to point to a directory they control.
4. DLL Hijacking and Execution: The attacker places a malicious DLL (Dynamic Link Library) inside their controlled directory, giving it the same name as the original file Defender was expecting to find. When the MsMpEng.exe service, running with SYSTEM privileges, attempts to access its file, the NTFS junction redirects it. Defender unwittingly loads and executes the attacker's malicious DLL, but it does so with its own high-level permissions.

This technique is particularly effective because it abuses a highly privileged and trusted process. Security software often operates with elevated permissions to scan and remediate threats across the entire system, making it a prime target for this type of attack. The RedSun vulnerability followed its predecessor, "RedRain" (CVE-2023-36025), which Naceri had also disclosed and which used a nearly identical attack pattern. According to reporting from BleepingComputer, Naceri released the RedSun PoC after Microsoft allegedly closed his report as a duplicate of the already-patched RedRain, a claim he disputed.

Impact Assessment: A Widespread but Local Threat

The potential impact of RedSun was extensive, affecting a vast range of products including Windows 10, Windows 11, and modern Windows Server editions. Because Microsoft Defender is enabled by default, nearly every user of these operating systems was theoretically vulnerable prior to patching.

However, it is important to contextualize the threat. As an LPE, RedSun cannot be exploited remotely on its own. An attacker must first establish a foothold on the target system. This makes it a post-exploitation tool, but a powerful one. For threat actors like ransomware gangs, gaining SYSTEM access is a critical step for deploying their payload and disabling security software that might detect or stop the encryption process. Similarly, advanced persistent threat (APT) groups use LPEs to establish deep, persistent access within a compromised network.

The public release of a working PoC before a patch was available significantly raised the immediate risk. It lowered the barrier to entry, allowing less sophisticated attackers to potentially weaponize the exploit and integrate it into their toolkits. For corporate security teams, this created an urgent need to detect signs of exploitation and prepare for patching as soon as a fix became available.

The Disclosure Debate: A Necessary Evil?

Naceri's decision to publicly release a zero-day exploit reignited the long-standing debate over responsible disclosure. The generally accepted practice involves privately reporting a flaw to a vendor and allowing them a reasonable period (typically 90 days) to develop a patch before any public announcement. This approach prioritizes user safety.

However, Naceri and other researchers argue that this model can fail when vendors are unresponsive, slow to issue fixes, or offer bug bounty rewards that are disproportionately low for the severity of the flaw. Naceri cited a bounty of just $1,000 for LPEs from Microsoft as a point of frustration. By releasing the PoC, he forced Microsoft's hand, ensuring the vulnerability was patched in the next cycle (which it was, in the November 14, 2023 Patch Tuesday release). The fact that Microsoft ultimately assigned RedSun its own CVE, separate from RedRain, validated Naceri's claim that it was not a duplicate. While this tactic achieved its goal, it also exposed millions of users to a known, unpatched, and exploitable vulnerability for a period of time.

How to Protect Yourself

While the RedSun vulnerability has been addressed by Microsoft, the principles for defending against it and similar threats remain constant. Both individuals and organizations should adopt a defense-in-depth strategy.

• Apply Security Updates Immediately: The most direct countermeasure is to patch the vulnerability. Microsoft patched CVE-2023-36036 in its November 2023 security updates. Ensure your systems are configured to receive and install Windows Updates automatically. This is the single most important step.
• Prevent the Initial Breach: Since this is a local privilege escalation exploit, preventing the initial compromise is key. This includes practicing good cyber hygiene: be wary of phishing emails, avoid downloading software from untrusted sources, and use strong, unique passwords with multi-factor authentication (MFA).
• Enforce the Principle of Least Privilege: In corporate environments, users should not have administrative rights unless absolutely necessary for their role. Running as a standard user limits the immediate damage an attacker can do upon gaining initial access and forces them to use an LPE exploit like RedSun, which provides an opportunity for detection.
• Monitor System Activity: For organizations, Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) systems are vital. Security teams should configure monitoring to detect suspicious behavior, such as the creation of unusual NTFS junction points or unexpected processes being spawned by MsMpEng.exe.
• Secure Your Connection: Protecting your data in transit can help prevent some forms of initial compromise, especially on untrusted networks. Using a hide.me VPN can provide strong encryption for your internet traffic, shielding it from eavesdroppers who might try to capture credentials or exploit browser vulnerabilities.

The RedSun incident is more than a story about a single bug. It is a case study in the complex, sometimes adversarial relationship between those who build technology and those who break it for the greater good. While patched and neutralized, its legacy is a potent reminder of the fragility of our digital infrastructure and the human element that drives its security forward.