FilterHN

RedSun: System user access on Win 11/10 and Server with the April 2026 Update

113 points

by airhangerf15

8 hours ago

| past

| 6 comments

| github.com

| HN

▲

luma

11 minutes ago

[-]

Tried to download and Defender blocks it.

▲

IFC_LLC

1 hour ago

[-]

I remember the times when Microsoft had a lot of problems 20 years ago because of Sasser and other viruses that were taking over Windows. They did not have any contenders. Yet they have stopped any software development for 9 months just to re-work their entire codebase to prevent things like direct memory execution and stuff like that. The result of that was Windows XP Service Pack 2. After that thing windows XP became a legend.

Now, when Linux is slowly creeping on one side, and Mac NEO on another they keep releasing this AI-slop.

By the looks of it they make most of their money from the cloud and other software things nowadays. And Windows has become a sidekick in their processes.

▲

nailer

51 minutes ago

[-]

> Windows XP Service Pack 2. After that thing windows XP became a legend.

God that was an era. XP SP2 was a great OS, IE was the best browser, MSN was the most popular messenger, Skype was acquired, HTC's Windows CE devices were shipping real web browsers that worked over 3G.

By the end of the Ballmer era, Microsoft has lost the OS, the browser, the messenger, the meeting service and mobile.

▲

egeozcan

6 hours ago

[-]

I wonder why Windows Defender has the privilege to alter the system files. Read them for analysis? Sure! Reset (as in, call some windows API to have it replaced with the original), why not? But being able to write sounds like a bad idea.

However, I don't know what I'm talking about so take it with a grain of salt!

▲

EvanAnderson

5 hours ago

[-]

AV had traditionally run as SYSTEM on Windows (and, in the past, often had kernel mode drivers too). I've always thought it was a terrible idea. It opens up exciting new attack surfaces. Kaspersky and McAfee both had privilege escalation vulnerabilities that I can recall. There have been a ton in multiple products over the years.

▲

labelbabyjunior

5 hours ago

[-]

They kind of have to, though.

If malware exploits a privilege escalation vuln, what's the AV going to do about it when it's reduced to the software equivalent of a UK police officer? Observe and report? Stop or I'll say "stop" again?

AV requires great power, which requires great responsibility. The second part is what often eludes AV developers.

▲

EvanAnderson

5 hours ago

[-]

The OS should do the SYSTEM-level lifting and scanning processes and behavior analysis should run sandboxed as low priv processes. It would require a clearly defined API and I feel like MSFT was always reticent to commit, leaving AV manufacturers to create hacky nightmares.

▲

labelbabyjunior

5 hours ago

[-]

Well the OS should do nothing—remember MS was taken to court over that—but better privsep on the part of the AV, sure.

Technically, Defender can be replaced with 3rd party AV.

▲

bux93

3 hours ago

[-]

Windows has separate SeBackupPrivilege for backup software, so why not for AV?

▲

formerly_proven

3 hours ago

[-]

“Because the remediation component requires SYSTEM, the entire AV needs to run as SYSTEM and we have to unpack malware in the kernel”

▲

Fokamul

4 hours ago

[-]

Because to get Ring0, you just need signed vulnerable driver.

There are tons of signed drivers to explore ;-)

▲

labelbabyjunior

5 hours ago

[-]

Some files under Windows are protected as the TrustedInstaller user, which is a more restrictive level of permissions than SYSTEM.

▲

hathym

3 hours ago

[-]

cl /std:c++17 /EHsc /W4 /O2 /DUNICODE /D_UNICODE /wd4005 /Fe:RedSun.exe RedSun.cpp advapi32.lib ole32.lib user32.lib

▲

ranger_danger

7 hours ago

[-]

> normally I would just drop the PoC code and let people figure it out

Looks like that's exactly what they did though?

Or maybe they just meant that they don't usually explain how it works?

▲

kijin

6 hours ago

[-]

Tney gave it a sexy name and set up a website about it (a github repo, at any rate), instead of just talking about it in a mailing list and getting a CVE like a proper bearded security researcher.

▲

tclancy

1 hour ago

[-]

It’s getting warm above the equator, they may have shaved for the season.

▲

labelbabyjunior

6 hours ago

[-]

A local privilege escalation to root via an exploitable service?

Doesn't Linux have one of these CVEs...each week?

▲

hnlmorg

4 hours ago

[-]

Only if you’re running daemons as root. Which would be an idiotic move to begin with because that’s not how distros package their services. So you’d have to intentionally make this mistake.

▲

GuestFAUniverse

1 hour ago

[-]

Intentionally?

Ignorance is bliss! Simply use docker in its (old) default setup, instead of podman, apptainer, docker-rootless ... and that world is yours.

Added bonuses are the incredible stupid integration with ufw on Ubuntu, images with laughable uid mapping, ...

How that shit got traction baffles me.

▲

BodyCulture

4 hours ago

[-]

No.

▲

IshKebab

2 hours ago

[-]

Not quite every week, but yeah it has a lot. And if the target uses sudo at all you don't even need an exploit!

But nobody mentioned Linux. There's no need for whataboutism. They both shouldn't have these vulnerabilities.

▲

hsbauauvhabzb

5 hours ago

[-]

Probably, but is that service deployed as part of the base operating system or a third party package? Can you remove the service if you deem the crazy service behaviour is unnecessary or too risky for your usecase?