TL;DR
Chaotic Eclipse dropped RoguePlanet, their seventh Windows zero-day, hours after Microsoft’s record Patch Tuesday. It grants SYSTEM access on fully patched machines.
Chaotic Eclipse, the security researcher Microsoft threatened with criminal prosecution, has published a seventh Windows zero-day exploit. Called RoguePlanet, it grants attackers SYSTEM privileges on fully patched Windows 10 and 11 machines. The researcher released the proof-of-concept hours after Microsoft shipped its June Patch Tuesday update, which fixed a record 200 vulnerabilities.
RoguePlanet exploits a race condition in Windows Defender’s internal processing logic. Specifically, it is a Time-of-Check to Time-of-Use (TOCTOU) vulnerability. An unprivileged user can redirect a file operation performed by Defender, which runs as SYSTEM, to execute attacker-controlled code at the highest privilege level.
“The exploit is a race condition, so it’s a hit or miss,” the researcher said. “I have managed to get a 100% success rate on some machines while it struggled to work on others.”
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
Security firm ThreatLocker confirmed the flaw works and published a video demonstration. “Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described,” said CEO Danny Jenkins. He added that application allowlisting can prevent the exploit from executing.
The proof-of-concept was published on a self-hosted Git repository after the researcher said Microsoft had both GitHub and GitLab repositories hosting earlier work removed. This is part of an escalating dispute. Microsoft invoked its Digital Crimes Unit against the researcher and revoked access to their Microsoft Security Response Center account.
Chaotic Eclipse has disclosed seven zero-days in a matter of months: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma, and now RoguePlanet. Microsoft’s June Patch Tuesday fixed two of them, GreenPlasma and YellowKey, but the rest remain unpatched. The researcher says the disclosures are retaliation for how Microsoft handled the process.
“They mopped the floor with me and pulled every childish game they could,” the researcher wrote. “I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer.”
The timing is pointed. Microsoft’s June Patch Tuesday was its largest ever, fixing 200 vulnerabilities including 33 rated critical and three publicly disclosed zero-days. Analysts attribute the surge in part to AI-assisted code auditing, which is finding vulnerabilities faster than defenders can patch them. RoguePlanet arriving hours after the record update underscores the gap: even the biggest patch cycle in Microsoft’s history was immediately obsolete for anyone running Windows Defender.
