Defender CVE - What are you doing?
Posted by nodiaque@reddit | sysadmin | View on Reddit | 61 comments
Was wondering for those using DEfender, how did you address this?
https://thehackernews.com/2026/04/microsoft-issues-patches-for-sharepoint.html
On our end, they decided to remove defender everywhere. I'm wondering what it is
charleswj@reddit
You removed (disabled) defender? What infallible vendor will you move to?
Relevant-Idea2298@reddit
I hear CrowdStrike has never made a mistake.
Burgergold@reddit
July 2024, Je me souviens
Secret_Account07@reddit
Just commented this elsewhere but we had been on McAfee for over a decade. Literally a week after we switched it happened.
We had to fix on a few thousand servers. Thanks for the big OT paycheck, Crowdstrike!
But other than that monumental fuck up- it’s been solid
nodiaque@reddit (OP)
oh a fellow QC
Secret_Account07@reddit
lol
We switched to Crowdstrike for our servers after many years of McAfee. Anyways, was very happy to get off McAfee but by total coincide Crowdstrike became world famous a week after we switched. Crazy timing
But it’s been solid. I like how quickly it’s about to quarantine entire VMs after infection is detected. No more having to disable NIC like we had to do with McAfee. It completely isolates on its own.
iammiscreant@reddit
😂too soon!
AlexMelillo@reddit
It’s been nearly two years and I’m still upset about the plans I had to cancel that day
nodiaque@reddit (OP)
I simply did what security was asked. We are currently testing defender, our real virus protection is front Trendmicro.
Audience-Electrical@reddit
Yeah that stood out to me. For a moment I thought I was on r/shittysysadmin
omgdualies@reddit
Patch it… am I missing something special about it?
nodiaque@reddit (OP)
2 are unpatch?
Burgergold@reddit
Wait for the patch
If there is a workaround, apply it
Noobmode@reddit
There isn’t a mitigating control as far as I know.
nodiaque@reddit (OP)
For redsun, it seems it rely on cloud file so you could disable cloud file and be saved. But I don't know for undefend
-GenlyAI-@reddit
Where do you see they don't have patches?
nodiaque@reddit (OP)
The articles clearly state that redsun and forget the other one isn't. A little google search will also show you many articles stating the same. Also the cve itself state it
-GenlyAI-@reddit
I wasn't doubting you. Settle down. I didn't see it in the article linked so I was curious.
nodiaque@reddit (OP)
Here's the actual link
Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
nodiaque@reddit (OP)
Shit, now I feel dumb for linking the wrong article.... This is the update fix article....
-GenlyAI-@reddit
I wasn't doubting you. Settle down. I didn't see it in the article linked so I was just curious.
disclosure5@reddit
By definition this can't be exploited without setting off a Defender incident.
You are responding to incidents right?
nodiaque@reddit (OP)
It doesn't require any user interaction. The exploit is defender think there's a file vulnerable (that isn't) and overwrite its with the vulnerability exploiting nt authority.
disclosure5@reddit
I wrote and demoed a KQL detection after running it in our labs, but keep explaining it to me.
https://detections.ai/rules/019d989c-961b-7109-82d8-cc0c93d971c6
Godcry55@reddit
Can you share the KQL? We run Defender P2.
disclosure5@reddit
I linked one above. Also consider this.
nodiaque@reddit (OP)
What about undefend?
charleswj@reddit
Your link doesn't work
nodiaque@reddit (OP)
Kql for which one?
Noobmode@reddit
We don’t use defender sooooooo nothing.
If I was I’d be fucking pissed at Microsoft and yelling at my account rep asking why MSRC decided screwing over a researcher led to a zero day that was completely avoidable
PTCruiserGT@reddit
SMH my head if that's what happened
disclosure5@reddit
Yeah, the researcher was very clear he's not going to deal with Microsoft's incompetence after his previous attempts to report vulnerabilities. Anyone who's tried to report to Microsoft security lately has a similar story.
VexingRaven@reddit
There are 2 sides to every story.
disclosure5@reddit
Noone familiar with Microsoft security is giving any credibility to the idea Microsoft has a side that goes beyond "we were too busy with copilot".
VexingRaven@reddit
Forgive me if I have difficulty "giving credibility" to a "security researcher" who has an unspecific bone to pick claiming that MS is somehow ruining his life and costing him his family and making him homeless but won't go into details how exactly.
disclosure5@reddit
Next you're going to claim you have difficulty giving credibility to "a random redditor" claiming Windows Update quality has degraded.
VexingRaven@reddit
So you're telling me you unquestioningly believe that Microsoft somehow cost this person their family and their home?
disclosure5@reddit
I believe unquestionably they made dealing with them difficult enough that dropping this zero day is exactly the right approach and I don't care much how someone's other claims impact that.
ender-_@reddit
There have been reports from multiple vuln researchers that MSRC completely ignores reports that don't contain a video of the exploit (and if you do provide a video, it's still really hard to get somebody to care).
VexingRaven@reddit
Have other researchers claimed Microsoft ruined their life, took their family away, and left them homeless?
g-nice4liief@reddit
I think he doesn't need to go in detail as this isn't the first time Microsoft treated security researchers shitty.
It's just one of the times someone hit back and let Microsoft get caught with their pants down on the world stage.
Microsoft hasn't looked even good lately. This just seemed like his bucket spilled over and there probably could be more people having the same reaction
VexingRaven@reddit
His claims go far beyond the usual "Microsoft ignored my bug ^(because I didn't provide the proof they wanted)"
g-nice4liief@reddit
True that's indeed a good idea hadn't thought about
dabbydaberson@reddit
Satya is destroying all the good he did. MS and their AI dreams with co-pilot are going to be a great business use case one day. It reminds me of Nokia and Apple.
Noobmode@reddit
This is a pretty well known thing in the security community. Microsoft’s security and response to things are so bad they basically delegitimized FedRAMP after they go so embedded but couldn’t provide security and documentation assurances that the government had to rubber stamp them. Let that sink in. AWS and Google could provide all their controls and how things worked in their cloud in 6 to 12 months. MS took 5 years to the point the US government had to just be like welp guess you’re certified.
https://www.propublica.org/article/microsoft-cloud-fedramp-cybersecurity-government
Noobmode@reddit
That is exactly what happened. He disclosed, they gave him the run around for 6 months. Then he said you know what, fuck it lets ball. Then dropped three zero days. That’s not including the one BHIS did a webcast on this week where they can proxy c2 traffic for reverse shells via web view 2 in Edge. MSRC told the BHIS researcher sorry not a vuln after giving him the run around for 6 months.
Blog for Webview 2 being a built in C2 channel.
https://www.blackhillsinfosec.com/proxy-execution-via-webview2/
I don’t work for BHIS, I just enjoy their content. It’s free/cheap and freaking amazing quality.
-GenlyAI-@reddit
Or just don't care. I don't get worked up over work anymore. This will get patched
Noobmode@reddit
If you aren’t accountable for security it’s easy to sit back and not care. Unfortunately I am so it’s frustrating to me that this is even a thing. We’re lucky the researcher didn’t sell it to ransomware gangs or nation states.
xxdcmast@reddit
Go to the Winchester. Have a pint. And wait for this all to blow over.
dabbydaberson@reddit
Everyone knows that gun don't work
citizen0100@reddit
Pub?
ChatGPTbeta@reddit
Pub
emdoubley0u@reddit
top tier comment right here
kerubi@reddit
LOL. Nice try, troll. This belongs to r/ShittySysadmin.
Key_Pace_2496@reddit
Nothing, not caring helps me sleep easier at night.
Forumschlampe@reddit
Priv escalation...not good, not the worst
I laugh one month after rollout...shit solution make things worse? Yea....doesnt matter we stay
nodiaque@reddit (OP)
There's 3 CVE, on our side, they are doing MAYDAY on it.
thortgot@reddit
Then they fundamentally suck at security.
Substantial_Crazy499@reddit
Have you looked at other vendors CVEs before lol
nodiaque@reddit (OP)
I'm not the security team. I just find the security teams going crisis mode kind of too fast on this.
Substantial_Crazy499@reddit
Honestly they must be inexperienced or using this as some excuse to get cozy with another vendor