RoguePlanet: A TOCTOU Race Condition in Windows Defender

Chaotic Eclipse, the security researcher Microsoft threatened with criminal prosecution, dropped their seventh Windows zero-day exploit. Called RoguePlanet, it grants SYSTEM privileges on fully patched Windows 10 and 11 machines. The proof-of-concept landed hours after Microsoft shipped its June Patch Tuesday update, which fixed a record 200 vulnerabilities.

RoguePlanet exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition in Windows Defender's internal processing logic. An unprivileged user can redirect a file operation performed by Defender (running as SYSTEM) to execute attacker-controlled code at the highest privilege level. The researcher noted: "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others."

Security firm ThreatLocker confirmed the flaw works and published a video demonstration. CEO Danny Jenkins said: "Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described." He added that application allowlisting can prevent execution.

The Escalating Dispute

Chaotic Eclipse has disclosed seven zero-days in months: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma, and now RoguePlanet. Microsoft's June Patch Tuesday fixed GreenPlasma and YellowKey; the rest remain unpatched. The researcher said the disclosures are retaliation for how Microsoft handled the process: "They mopped the floor with me and pulled every childish game they could. I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer."

Microsoft invoked its Digital Crimes Unit against the researcher and revoked access to their Microsoft Security Response Center account. The proof-of-concept was published on a self-hosted Git repository after Microsoft had GitHub and GitLab repositories hosting earlier work removed.

Patch Tuesday's Record Haul

Microsoft's June Patch Tuesday fixed 200 vulnerabilities, including 33 rated critical and three publicly disclosed zero-days. Analysts attribute the surge in part to AI-assisted code auditing, which finds vulnerabilities faster than defenders can patch them. RoguePlanet arriving hours after the record update underscores the gap: even the biggest patch cycle in Microsoft's history was immediately obsolete for anyone running Windows Defender.

Technical Details

The vulnerability is a TOCTOU race condition in Windows Defender's file scanning component. When Defender scans a file, it checks the file's properties (Time-of-Check), but an attacker can swap the file before Defender acts on that check (Time-of-Use). This allows the attacker to trick Defender into executing arbitrary code with SYSTEM privileges.

Proof-of-concept code is available on a self-hosted Git repository. The exploit requires local access and multiple attempts due to the race condition. ThreatLocker's video shows successful privilege escalation on Windows 11 22H2 with all updates applied.

What Developers Should Do

  1. Apply application allowlisting (e.g., Microsoft Defender for Endpoint's ASR rules, third-party tools) to block untrusted executables.
  2. Monitor for unusual behavior from Windows Defender process (MsMpEng.exe).
  3. Consider disabling Windows Defender's real-time protection temporarily if alternative AV is in place (not recommended for production).
  4. Chaotic Eclipse has indicated more disclosures to come. Stay alert for patches.

The Bigger Picture

This is not just another zero-day. It's a signal that the coordinated vulnerability disclosure (CVD) process is broken when researchers feel threatened by the vendor. Microsoft's legal threats may deter disclosure, but they also push researchers to publish on self-hosted repos, making it harder for defenders to track. The RoguePlanet exploit is real, confirmed, and unpatched. Your Windows Defender is a vector, not a shield.