Anime, manga, and games, with a take · A Yukimedia publication

← all stories other 1 sources · 1h ago ·

Microsoft Defender Update After Fix Opens New Disk-Filling Attack

The new vulnerability suggests the patch for the RoguePlanet flaw may have inadvertently created a different vector for resource exhaustion, with potential for remote exploitation if WebDAV compatibility is confirmed.

Reporting from 1 source: GIGAZINE.

Microsoft Defender Update After Fix Opens New Disk-Filling Attack

Security researcher Nightmare Eclipse reports that Microsoft's fix for the RoguePlanet vulnerability introduced a new issue in Defender. The antivirus no longer applies caching limits to certain alternate data streams, allowing an attacker to fill a Windows 11 drive via a malicious SMB server. The attack was reproducible on Windows 11 25H2 and Windows Server 2025. Microsoft has not commented.

The limits Microsoft Defender normally applies to file scanning and quarantine do not apply to cached alternate data streams labeled Zone.Identifier, the researcher said. That makes it possible to force Defender to write a large cache to disk. In a proof of concept, placing a file and a specially crafted large Zone.Identifier ADS on a malicious SMB server, then intentionally stopping a read operation while keeping the SMB session open, caused Defender to keep the cache locked and not delete it, eventually filling the drive. The attack was reproducible on Windows 11 25H2 and Windows Server 2025. Nightmare Eclipse is also investigating whether the same method can be used over WebDAV, which would allow internet-based exploitation without SMB. Microsoft has not yet commented on the reported disk exhaustion issue as of the article's publication.

Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.

Sources