April 15, 2026

Antivirus or anti-vice?

Article URL →HN comments →

RedSun: System user access on Win 11/10 and Server with the April 2026 Update

Defender accused of “putting malware back” — commenters roast Microsoft and spark OS flame war

TLDR: A researcher says a Windows Defender bug can be twisted to overwrite system files and gain admin access, sparking alarm and jokes. Comments turn chaotic: some accuse the post of hinting at exploit details, others question Defender’s power, and the Linux‑versus‑Windows rivalry reignites — because of course it does.

Windows fans woke up to a plot twist: a researcher claims a Windows Defender quirk can be abused to overwrite system files and grab admin power — because the antivirus puts the file back if it carries a certain “cloud tag.” The author called it “too funny” to drop full code, but the crowd heard “hold my beer.” Cue the cackling.

The hottest thread wasn’t about the bug itself — it was the comment cage match. One user squinted at the post and basically said, “Wait… didn’t they just share the exploit anyway?” Another asked the question everyone else was thinking: Why can the antivirus write to system files at all? That turned into a bigger debate over how security tools should behave, with some admitting they’re not experts but still feeling the vibes were off.

Then the classic OS rivalry burst in like a Kool‑Aid Man moment: someone lobbed a grenade at Linux, joking these kinds of “local privilege escalation” bugs show up there weekly. Windows folks laughed, penguin fans bristled, and suddenly it was Patch Tuesday vs. “but open source” all over again. To top it off, a mysterious compiler command drifted into the chat like a recipe card for trouble — which only fueled the drama. Internet, never change.

Key Points

  • The article describes a vulnerability called “RedSun” affecting Windows 10, Windows 11, and Windows Server with the April 2026 Update.
  • It claims Microsoft Defender rewrites files tagged as malicious (via a cloud tag) back to their original location.
  • A proof-of-concept (PoC) abuses this behavior to overwrite system files.
  • The stated outcome is local privilege escalation to administrative (SYSTEM) privileges.
  • The author says they typically release PoC code but do not do so for this case, while explaining the core behavior.

Hottest takes

“Looks like that’s exactly what they did though?” — ranger_danger
“Being able to write sounds like a bad idea” — egeozcan
“Doesn’t Linux have one of these CVEs…each week?” — labelbabyjunior

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.