In a significant development for Windows users, Microsoft released a patch on Wednesday to address a zero-day vulnerability in its Defender security engine. However, security researchers have raised concerns that this update could inadvertently cause Windows machines to fill up their hard drives, potentially leading to system disruptions. This issue was brought to light by NightmareEclipse, the pseudonym of the researcher who initially discovered the flaw.
Understanding the RoguePlanet Vulnerability
The vulnerability, tracked as CVE-2026-50656 and dubbed RoguePlanet, was initially exposed in June. NightmareEclipse, the researcher behind the discovery, leaked both the vulnerability and its exploit code. The flaw presented a significant threat, allowing remote attackers to gain administrative control over Windows 10 and Windows 11 systems, even when real-time protection was disabled. This revelation prompted Microsoft to act swiftly in developing a patch.
Microsoft’s Response and Patch Release
On Wednesday, Microsoft responded by issuing a patch for the Microsoft Malware Protection Engine, integral to the Defender antivirus application. This update, designed to automatically download and install, aimed to mitigate the threat posed by RoguePlanet. Alongside the primary fix, the update included “defense-in-depth updates to help improve security-related features,” enhancing the overall security posture of affected systems.
Potential New Issue: Unlimited File Size Creation
Despite the patch, NightmareEclipse highlighted a new concern in a post published on Thursday. The defense-in-depth additions, while intended to bolster security, might allow attackers to exhaust available disk space by writing enormous data volumes to the hard drive. The issue lies within mpengine.dll, the driver linked to the Microsoft Malware Protection Engine. In certain scenarios, this results in an 8-byte data leak when opening a file.
Moreover, the SpyNet service’s new feature contributes to this potentiality. SpyNet, a cloud service, enables Microsoft Security Essentials or Forefront Endpoint Protection to report suspicious software and activities to Microsoft. This functionality, combined with the mpengine.dll behavior, could lead to excessive file writing.
Implications for Disk Space Management
Typically, Defender imposes stringent limits on file sizes during scanning and quarantining to prevent disk space exhaustion. However, according to NightmareEclipse, this update introduced an exception. Specifically, the spynet functions in mpengine.dll prioritize maintaining a local copy of the Zone.Identifier ADS file, regardless of its size, which Windows Defender will cache locally.
This situation poses a challenge for systems with limited storage capacity, potentially causing significant disruptions if not addressed promptly.
For further details, you can refer to the full article Here.
“`

