Skip to content

Microsoft Fixes Zero-Days Disclosed by Feuding Researcher

Microsoft has released fixes for two high-severity zero-days that were disclosed by a researcher who has been engaged in a heated rivalry with the software giant. The patches, which were part of June’s vulnerability patch batch release, addressed vulnerabilities disclosed by Nightmare Eclipse, a pseudonym used by the researcher.

The researcher, Nightmare Eclipse, had previously released a handful of high-severity vulnerabilities in recent months, making them zero-days that had the potential to be exploited in the wild. The disclosures, which included proof-of-concept code, came after Microsoft reneged on an arrangement the two made regarding vulnerabilities they had discussed.

“But someone violated our agreement and left me homeless with nothing,” Nightmare Eclipse wrote in March. “They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.” The statement suggests that there was a breakdown in communication between Microsoft and the researcher, leading to the disclosure of the vulnerabilities.

The first vulnerability fixed by Microsoft was CVE-2026-45586, which Nightmare Eclipse disclosed under the name GreenPlasma. This vulnerability is a local privilege escalation, meaning it can be chained to a separate vulnerability to give users or processes with low-level privileges the ability to defeat OS protections and gain full SYSTEM rights needed to install malware. Microsoft said that this vulnerability required minimal complexity to exploit, required no user interaction, and that chances of active exploitation in the wild were likely.

The second vulnerability fixed by Microsoft was MiniPlasma, a separate vulnerability disclosed by Nightmare Eclipse. Microsoft said that this vulnerability is tracked as CVE-2020-17103, a vulnerability Microsoft first fixed six years ago. This means that MiniPlasma was the result of a regression or an incomplete patch in its initial form.

The company has yet to release patches for other vulnerabilities disclosed by Nightmare Eclipse. The researcher named one vulnerability, present in Windows Defender RedSun, and another, BlueHammer, which is also a local privilege escalation flaw that provides SYSTEM rights. Microsoft did provide manual instructions for mitigating YellowKey, a vulnerability that allows attackers to defeat Bitlocker full-disk encryption.

The rivalry between Microsoft and Nightmare Eclipse has been ongoing for several months, with both parties trading barbs in public statements. The researcher has taken multiple potshots at Microsoft, criticizing the company’s vulnerability disclosure program. In turn, Microsoft has publicly railed against the researcher for “not responsibly” disclosing the vulnerabilities and made a veiled reference to the possibility of pursuing legal action.

After a public backlash, Microsoft later relented and vowed no such legal action would occur. The latest development in this saga is that Nightmare Eclipse published exploit code for a new Windows vulnerability on Tuesday, which targets Defender. This move has sparked concerns about the potential for further exploitation of vulnerabilities disclosed by the researcher.

In conclusion, Microsoft’s decision to fix the two high-severity zero-days disclosed by Nightmare Eclipse is a welcome development in the ongoing saga between the two parties. However, the lack of patches for other vulnerabilities disclosed by the researcher remains a concern, and it remains to be seen how this situation will unfold.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *