A security patch hastily deployed by Microsoft to address a critical flaw in Windows Defender has introduced a separate denial-of-service vulnerability, enabling attackers to fill a system's hard disk and cause operational disruption.

The emergency update was intended to fix a high-severity remote code execution bug in the antivirus software. Technical analysis reveals, however, that the patch contains a race condition between the Windows Defender filter driver and the NTFS file system. This flaw creates a new attack vector for rendering systems unusable.

Public disclosures indicate the issue stems from a failure in the patch to handle a specific sequence of operations. By triggering the race condition, an adversary could rapidly fill NTFS alternate data streams—a file storage mechanism on Windows volumes—consuming all available disk space. This would freeze the operating system and block critical functions until an administrator manually clears the drive.

The matter is further strained by an escalating public dispute between a security researcher, known as NightmareEclipse, and Microsoft. This ongoing conflict, as covered by Ars Technica, demonstrates how adversarial vendor-researcher dynamics can impede coordinated risk assessment and delay the delivery of a comprehensive fix, leaving the timeline for a solution uncertain.

Administrators now face a dual threat: the original remote code execution vulnerability, which the patch aims to mitigate, and the newly introduced disk-filling bug. Immediate action is required to monitor for exploitation. Implementing proactive disk space monitoring and configuring alerts for abnormal storage consumption are essential first steps to detect potential attacks.

This incident highlights a critical challenge in security operations. Deploying an emergency patch for a zero-day vulnerability, while necessary, has resulted in a new operational flaw. It underscores the need for rigorous validation testing even under time pressure, forcing organizations to re-examine their patch management protocols to balance speed with thoroughness.

Microsoft has not yet announced a timeline for releasing a fully corrected patch. Until such a fix is delivered, the primary defenses remain vigilant system monitoring and prepared incident response plans to counter any attempts to leverage this vulnerability for disruptive attacks.


微軟緊急部署的安全修補程式,旨在解決Windows Defender的嚴重漏洞,卻意外引入另一個拒絕服務漏洞,令攻擊者得以填滿系統硬碟,導致運作中斷。

該緊急更新原意是修補防毒軟件中一個高嚴重性的遠端執行代碼漏洞。然而技術分析指出,修補程式在Windows Defender篩選器驅動程式與NTFS檔案系統之間存在競爭條件。此漏洞創造了新的攻擊途徑,可使系統完全癱瘓。

公開資料顯示,問題源於修補程式未能正確處理特定的操作序列。透過觸發競爭條件,攻擊者可快速填滿NTFS替代資料流(Windows儲存卷的一種檔案儲存機制),耗盡所有可用磁碟空間。這將導致作業系統凍結,並阻止關鍵功能運作,直至管理員手動清理磁碟空間。

事件因安全研究員NightmareEclipse與微軟之間持續升級的公開爭執而變得更加複雜。Ars Technica報道的這場持續衝突顯示,對立的供應商與研究員關係如何妨礙協調風險評估,並延遲完整修補程式的交付,使解決方案的時間表充滿不確定性。

管理員現時面臨雙重威脅:一是修補程式旨在緩解的原始遠端執行代碼漏洞,二是新引入的硬碟填滿漏洞。必須立即採取行動監測利用行為。實施主動式硬碟空間監控,並為異常儲存消耗設定警告,是偵測潛在攻擊的必要初步措施。

此事件突顯了安全營運中的重大挑戰。部署緊急修補程式應對零日漏洞雖然必要,但卻導致新的營運缺陷。這凸顯即使在時間壓力下,仍需進行嚴格驗證測試,迫使各組織重新檢視其修補管理流程,在速度與周全性之間取得平衡。

微軟尚未公布發佈完全修正補丁的時間表。在此類修補交付前,主要防禦措施仍是保持警覺的系統監控,以及準備就緒的事件應對計劃,以對抗任何利用此漏洞發動破壞性攻擊的企圖。

新聞來源 / Original News Source