BlueHammer: Local Privilege Escalation via Windows Defender

Core Security researchers describe the BlueHammer exploit targeting a zero-day vulnerability in the Windows Defender update mechanism to obtain local privilege escalation. The issue arises because the Defender update service performs operations with system privileges but does not properly validate access permissions for temporary files and directories created during the update process.

Exploitation is possible with only local access and standard user privileges: an attacker can replace or inject a malicious file into a path used by the update process, resulting in code execution with NT AUTHORITY\SYSTEM privileges.

📎 Article: https://www.coresecurity.com/blog/analysis-bluehammer-lpe-exploiting-windows-defender-updates

💬 Discuss