"BlueHammer works by downloading a genuine Microsoft Defender Antivirus definition update and equipping it with an opportunistic lock (oplock) to gain privileged access to files. Once the oplock is triggered, the exploit creates a symbolic link that redirects Defender's read operation, causing it to leak information about local accounts."
"RedSun works by writing an EICAR test file via the Windows Cloud Files API. The process then utilizes an oplock to halt Microsoft Defender's file recovery process and redirect the write path to the System32 directory."
Three security vulnerabilities in Microsoft Defender are being exploited, with only BlueHammer receiving a patch. BlueHammer requires GitHub login and exploits a Microsoft Defender update to gain access to local accounts. RedSun, unaffected by the BlueHammer patch, uses the Windows Cloud Files API to overwrite a critical system file, granting SYSTEM-level access. Both vulnerabilities pose significant risks across various Windows operating systems, with proof of concept demonstrations confirming their effectiveness.
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]