Microsoft Faces Backlash Over Zero-Day Disclosures
A contentious clash between Microsoft and security researcher Nightmare Eclipse has ignited widespread dissent within the cybersecurity community.
This friction intensified after Microsoft threatened criminal prosecution related to uncoordinated disclosures of zero-day vulnerabilities.
Between early April and mid-May 2026, Nightmare Eclipse released proof-of-concept exploit codes for six Windows vulnerabilities without prior coordination with Microsoft.
Three of these vulnerabilities—designated as BlueHammer, RedSun, and UnDefend—were quickly confirmed to be exploited in live attacks, necessitating emergency patches.
Subsequently, these vulnerabilities were added to the CISA’s Known Exploited Vulnerabilities catalog. The remaining three, identified as YellowKey, GreenPlasma, and MiniPlasma, remain without remediation.
In response to these alarming findings, Microsoft published a formal blog entry decrying uncoordinated disclosures as “unequivocally unjustifiable.”
The tech giant signaled that its Digital Crimes Unit might pursue criminal charges against those involved. Additionally, Nightmare Eclipse’s GitHub account faced suspension around May 23, followed swiftly by the suspension of their GitLab account between May 26 and 27.
Nightmare Eclipse challenges this narrative, asserting that Microsoft had deleted the Security Response Center account utilized for reporting the initial vulnerabilities, thereby severing communication.
“You literally deleted the Microsoft account I used to report bugs to you with, and I got zero pennies from doing so,” the researcher stated publicly.
The broader security industry appears to largely stand against Microsoft’s stance. Security researcher Katie Moussouris vocally criticized the blog post, asserting that the threat of prosecution would deter researchers from placing their trust in Microsoft, potentially compromising overall cybersecurity.
Former Microsoft security engineer Kevin Beaumont termed the situation “a dumpster fire of their own making,” emphasizing that Microsoft had previously employed researchers who released zero-day vulnerabilities without prior notice—an action that it now deems criminal.
Microsoft maintains that such uncoordinated disclosures expose exploit code to malicious entities, jeopardizing customer security before suitable patches can be deployed.
Conversely, researchers argue that vendors frequently overlook or postpone fixing reported vulnerabilities until public outcry demands immediate action, rendering the coordinated disclosure process feel lopsided.
At present, the pressing concern is that three vulnerabilities persist unaddressed amidst this ongoing dispute. Administrators should regard YellowKey, GreenPlasma, and MiniPlasma as active threats.
Notably, YellowKey represents a zero-day exploit capable of circumventing Windows 11’s default TPM-based BitLocker protection, enabling attackers with physical access to unlock encrypted drives sans a recovery key.
Source link: Tweaktown.com.
