Researchers warn Microsoft Defender vulnerability is already being exploited

Alfonso Maruccia

Posts: 2,593   +975
Staff
WTF?! Microsoft Defender Antivirus is designed to serve as the first line of defense for countless Windows systems, protecting PCs from malware and other threats. However, according to a recent vulnerability disclosure, Windows' native antivirus tool may not be as effective at doing its job as intended – and Microsoft appears largely unconcerned.

A security researcher known as Chaotic Eclipse recently disclosed a vulnerability dubbed "Red Sun" affecting Microsoft Defender Antivirus. While criticizing Microsoft's handling of the issue, Chaotic Eclipse explained that their proof-of-concept code could potentially be used to bypass Defender's protections. The researcher also claimed that malicious actors have already begun attempting to exploit the issue.

The Red Sun flaw reportedly stems from unusual behavior in Defender when handling potentially malicious files marked with a "cloud" tag. According to the researcher, the antivirus may, under certain conditions, restore or rewrite such files to their original location on the volume. The PoC demonstrates how this behavior could be abused to overwrite system files and potentially escalate privileges.

"I think anti-malware products are supposed to remove malicious files not be sure they are there but that's just me," remarked Chaotic Eclipse.

Earlier this month, the researcher also disclosed another zero-day exploit, named BlueHammer. He stated that the Microsoft Security Response Center was unwilling to classify the flaw as a significant security issue, which led him to publicly release the proof-of-concept code.

In a more recent post about Red Sun, Chaotic Eclipse claimed that his relationship with the MSRC team has further deteriorated. He alleged that Microsoft developers are now actively targeting him and engaging in what he described as "childish" behavior intended to undermine him.

"It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision," he said.

Chaotic Eclipse has accused Microsoft security staff of undermining parts of the security research community, rather than supporting independent researchers attempting to report vulnerabilities. He also referenced earlier disclosures in which other researchers reportedly expressed frustration with MSRC's handling of certain reports.

Regardless, the Red Sun exploit is considered a legitimate security issue that the community is actively discussing. Researchers have also identified potential in-the-wild threats targeting BlueHammer, Red Sun, and a third vulnerability named UnDefend.

Chaotic Eclipse discovered Red Sun while analyzing the CVE-2026-33825 patch Microsoft released in this month's Patch Tuesday update. Microsoft is expected to issue further patches to address related issues as they are identified, even as debate continues within the security community about MSRC's handling of disclosures.

Some researchers argue that users should rely on third-party antivirus solutions rather than Microsoft Defender, though opinions vary widely on this topic. Chaotic Eclipse also mentioned a preference for Bitdefender Antivirus Free, describing it as a lightweight, Europe-based security product built on a widely used anti-malware engine.

Permalink to story:

 
I started counting the number of words like may, could, allegedly, potentially, reportedly etc. but got tired halfway through the article.

Instead of whining, "Chaotic Eclipse" should simply create a demo showing how the allegedly potential vulnerability is used on a real system, along with instructions and everything else necessary to reproduce the reportedly existing problem.

What's the source of this? Reddit?
And who are the "researchers" (plural)?
 
Anyone else got tired of Microslop's antics? Windows 10 was too good (for the time)? Make Windo
I started counting the number of words like may, could, allegedly, potentially, reportedly etc. but got tired halfway through the article.

Instead of whining, "Chaotic Eclipse" should simply create a demo showing how the allegedly potential vulnerability is used on a real system, along with instructions and everything else necessary to reproduce the reportedly existing problem.

What's the source of this? Reddit?
And who are the "researchers" (plural)?
The problem with this approach is that, if Microsoft isn't taking measures to counter the exploit and fix it, then that means script kiddies―wannabe hackers with no real cybersystems skills but plenty of time and lots of motivation―are basically being handed a mass exploit on a silver platter. Remember, every retail copy of Windows 10 AND 11 comes with Windows Defender. This isn't some random exploit, that needs to be found (and can therefore be avoided) if you use some malware-ridden version of CCleaner; you don't have to go out into the wild and look for it; you can be compromised using the system, as-intended. It effects both consumer and enterprise systems.

Therefore, we can safely assume that every single Windows computer, actively using Window Defender, is compromised. I mean, they already kind of are (because they're running Windows), but now they're super extra compromised.
 
"Windows' native antivirus tool may not be as effective at doing its job as intended – and Microsoft appears largely unconcerned". <---------------This, surprises anyone?

I have Windows 26H1 from Windows X-Lite, and Linux Mint, on my HP desktop, dual boot. It's better than 25H2, but not by much. I only get the updates they provide. Windows Update is locked down until March 2036. :) If anything goes wrong, I use EASE to do for backup. I'll be back up and running in about thirty minutes!

I've never had a problem with my Acer laptop, with Windows 7 Pro on it, ever! It's still running, (albeit a bit slower) although I don't surf the web with it, mostly just music and movies.
 
Last edited:
I've never had a problem with my Acer laptop, with Windows 7 Pro on it, ever! It's still running, (albeit a bit slower) although I don't surf the web with it, mostly just music and movies.

Have you updated with the last Simplix Pack from January 2026? For an x64 installation, it brings most important Windows files up to December 2025.
 
Anyone else got tired of Microslop's antics? Windows 10 was too good (for the time)? Make Windo
The problem with this approach is that, if Microsoft isn't taking measures to counter the exploit and fix it, then that means script kiddies―wannabe hackers with no real cybersystems skills but plenty of time and lots of motivation―are basically being handed a mass exploit on a silver platter. Remember, every retail copy of Windows 10 AND 11 comes with Windows Defender. This isn't some random exploit, that needs to be found (and can therefore be avoided) if you use some malware-ridden version of CCleaner; you don't have to go out into the wild and look for it; you can be compromised using the system, as-intended. It effects both consumer and enterprise systems.

Therefore, we can safely assume that every single Windows computer, actively using Window Defender, is compromised. I mean, they already kind of are (because they're running Windows), but now they're super extra compromised.
What makes you think there is an exploit at all? Because some anonymous guy with an infantile nickname says so?
 
What makes you think there is an exploit at all? Because some anonymous guy with an infantile nickname says so?
Because the way Recall is designed is basically tantamount to a first-party rootkit. Do I think there's some kind of backdoor in its design, that has been "compromised"? Yes and no. Recall basically has to create a snapshot of the state of the OS, every time it needs to scan data to catalog something, to later be searchable. That is how it works. This process naturally lends itself to vulnerabilities, such as side-channel attacks, but I think the privilege escalation is sort of a "reverse snapshot"―because if Recall has to create a save state of the computer to perform its duties, then data can be injected into the snapshot after the fact. Some of that data will naturally include user permissions, since the system has to make API requests, in order to capture the data to "recall" it later. If you intercept those API commands, you can effectively gain administrator access.

In truth, the only way for Recall to both have access to snapshots, in order to create a "usage history" while preventing privilege escalation, would be to use some kind of "metadata compression"―only saving and analyzing the state of changes between snapshots and discarding the rest, rather than capturing the entire desktop, and even, then it would still be necessary to notify the user of snapshots being taken so that they can decide to keep the snapshot or not.

The way Microsoft has gone about deploying Recall is just all sorts of wrong. They were too busy trying to find a visible use-case for Copilot―something that the customer can observe, that tangibly benefits the user experience, so that they can justify the enormous R&D expenditure they made on implementing ChatGPT into all of their products―to think through the ramifications of how exactly their system works and how it would be understood by the end user. Classic case of "a solution looking for a problem", except the problem is one they created and the solution was to shift that burden onto the customer.
 
I use Windows X-Lite. They took Windows 11 and striped it of all the BS Microsoft puts in it. They, also provide all the important Windows updates. Windows update on this machine is paused until 2036, I don't use it.
I was referring to the Simplix UpdatePack for Windows 7. I tried it firsthand this February, having to reinstall Windows 7 on my grandfather's laptop. I started with the x64 SP1 ISO, then applied the Simplix UpdatePack 7, which brought it up to December 2025. I think that's the end of it, because Server 2008's Premium Assurance updates ended in January 2026.

As for myself, I am using Windows 10 with ESU updates enabled for the next three years at least, and possibly six years.
 
I started counting the number of words like may, could, allegedly, potentially, reportedly etc. but got tired halfway through the article.

Instead of whining, "Chaotic Eclipse" should simply create a demo showing how the allegedly potential vulnerability is used on a real system, along with instructions and everything else necessary to reproduce the reportedly existing problem.

What's the source of this? Reddit?
And who are the "researchers" (plural)?
The researchers were Dr Bevis and senior engineer Butthead.
 
I was referring to the Simplix UpdatePack for Windows 7. I tried it firsthand this February, having to reinstall Windows 7 on my grandfather's laptop. I started with the x64 SP1 ISO, then applied the Simplix UpdatePack 7, which brought it up to December 2025. I think that's the end of it, because Server 2008's Premium Assurance updates ended in January 2026.

As for myself, I am using Windows 10 with ESU updates enabled for the next three years at least, and possibly six years.
Okay
 
Anyone else got tired of Microslop's antics? Windows 10 was too good (for the time)? Make Windo
The problem with this approach is that, if Microsoft isn't taking measures to counter the exploit and fix it, then that means script kiddies―wannabe hackers with no real cybersystems skills but plenty of time and lots of motivation―are basically being handed a mass exploit on a silver platter. Remember, every retail copy of Windows 10 AND 11 comes with Windows Defender. This isn't some random exploit, that needs to be found (and can therefore be avoided) if you use some malware-ridden version of CCleaner; you don't have to go out into the wild and look for it; you can be compromised using the system, as-intended. It effects both consumer and enterprise systems.

Therefore, we can safely assume that every single Windows computer, actively using Window Defender, is compromised. I mean, they already kind of are (because they're running Windows), but now they're super extra compromised.

I have always used a third-party antivirus and always will! Also I don't just slap an antivirus on my system and call it secured. I have hardened Windows with DOD STIGs for years. Been decades since I was infected and have never been hacked.

Microsoft's "antics" go back 51 years to their founding in 1975, hardly new behavior!!

 
Because the way Recall is designed is basically tantamount to a first-party rootkit. Do I think there's some kind of backdoor in its design, that has been "compromised"? Yes and no. Recall basically has to create a snapshot of the state of the OS, every time it needs to scan data to catalog something, to later be searchable. That is how it works. This process naturally lends itself to vulnerabilities, such as side-channel attacks, but I think the privilege escalation is sort of a "reverse snapshot"―because if Recall has to create a save state of the computer to perform its duties, then data can be injected into the snapshot after the fact. Some of that data will naturally include user permissions, since the system has to make API requests, in order to capture the data to "recall" it later. If you intercept those API commands, you can effectively gain administrator access.

In truth, the only way for Recall to both have access to snapshots, in order to create a "usage history" while preventing privilege escalation, would be to use some kind of "metadata compression"―only saving and analyzing the state of changes between snapshots and discarding the rest, rather than capturing the entire desktop, and even, then it would still be necessary to notify the user of snapshots being taken so that they can decide to keep the snapshot or not.

The way Microsoft has gone about deploying Recall is just all sorts of wrong. They were too busy trying to find a visible use-case for Copilot―something that the customer can observe, that tangibly benefits the user experience, so that they can justify the enormous R&D expenditure they made on implementing ChatGPT into all of their products―to think through the ramifications of how exactly their system works and how it would be understood by the end user. Classic case of "a solution looking for a problem", except the problem is one they created and the solution was to shift that burden onto the customer.

Re-read the article and don't find any mention of Recall or Copilot. I fail to see any connection to the Defender vulnerability. Recall is confined to a small number of tablets and laptops with a Snapdragon AI chip and Copilot is little more than a chatbot. What article were you reading?
 
"Windows' native antivirus tool may not be as effective at doing its job as intended – and Microsoft appears largely unconcerned". <---------------This, surprises anyone?

I have Windows 26H1 from Windows X-Lite, and Linux Mint, on my HP desktop, dual boot. It's better than 25H2, but not by much. I only get the updates they provide. Windows Update is locked down until March 2036. :) If anything goes wrong, I use EASE to do for backup. I'll be back up and running in about thirty minutes!

I've never had a problem with my Acer laptop, with Windows 7 Pro on it, ever! It's still running, (albeit a bit slower) although I don't surf the web with it, mostly just music and movies.
What is EASE

I need 30 min back up in my life
 
Back