عاجل
RUВодитель, сбивший женщину с детьми в Калининграде, задержанRUВ Туве волонтеры штурмовали дом по наводке ясновидящей в поисках пропавших детейPLAutobus wjechał do przejścia podziemnego po zderzeniu z tramwajem i 14 autami. Cztery osoby poszkodowane.DEJan-Lennard Struff erreicht erstmals das Viertelfinale eines Grand-Slam-TurniersAUSA to Implement 'Ryan's Rule' for Patient Escalation of ConcernsINTaylor Swift and Travis Kelce's MSG Wedding: All the Wild DetailsARالهلال السعودي يستعد لغربلة لاعبيه الأجانب.. والاتحاد السعودي لكرة القدم يدخل مرحلة حاسمة لانتخاباتهARباريس ودمشق تراقبان آخر المقاتلين الفرنسيين في سورياTRABD'nin Yıldız Oyuncusunun Cezası Ertelendi, Belçika'dan TepkiRUCristiano Ronaldo hints 2026 World Cup could be his lastRUВодитель, сбивший женщину с детьми в Калининграде, задержанRUВ Туве волонтеры штурмовали дом по наводке ясновидящей в поисках пропавших детейPLAutobus wjechał do przejścia podziemnego po zderzeniu z tramwajem i 14 autami. Cztery osoby poszkodowane.DEJan-Lennard Struff erreicht erstmals das Viertelfinale eines Grand-Slam-TurniersAUSA to Implement 'Ryan's Rule' for Patient Escalation of ConcernsINTaylor Swift and Travis Kelce's MSG Wedding: All the Wild DetailsARالهلال السعودي يستعد لغربلة لاعبيه الأجانب.. والاتحاد السعودي لكرة القدم يدخل مرحلة حاسمة لانتخاباتهARباريس ودمشق تراقبان آخر المقاتلين الفرنسيين في سورياTRABD'nin Yıldız Oyuncusunun Cezası Ertelendi, Belçika'dan TepkiRUCristiano Ronaldo hints 2026 World Cup could be his last
Newsgather
BackMicrosoft Fixes Two Zero-Days Disclosed by Researcher in Dispute
Microsoft Fixes Two Zero-Days Disclosed by Researcher in Dispute
مُلِح
Ars Technica09.06.2026تقنية3 dk okumaUnited States

Microsoft Fixes Two Zero-Days Disclosed by Researcher in Dispute

نظرة سريعة

  • Microsoft released fixes for two high-severity zero-day vulnerabilities disclosed by a researcher known as Nightmare Eclipse.
  • The researcher claims Microsoft broke an agreement, leading to the public disclosure of flaws, including CVE-2026-45586 and CVE-2020-17103.

ملخص مُنشأ بالذكاء الاصطناعي

لماذا يهم

A researcher known as Nightmare Eclipse has publicly disclosed several high-severity zero-day vulnerabilities in Microsoft products after alleging a breach of agreement with the software giant. Microsoft has now released patches for two of these vulnerabilities, CVE-2026-45586 and CVE-2020-17103, while other disclosed flaws remain unaddressed.

حجم الخط

Microsoft on Tuesday released fixes for two high-severity zero-days that were disclosed by a researcher who has been locked in a testy beef with the software giant.

Nightmare Eclipse, the pseudonym the researcher goes by, released a handful of high-severity vulnerabilities in recent months, making them zero-days that had the potential to be exploited in the wild. The researcher has said the disclosures, which included proof-of-concept code, came after Microsoft reneged on an arrangement the two made regarding vulnerabilities they had discussed.

Disclosure drama

“But someone violated our agreement and left me homeless with nothing,” Nightmare Eclipse wrote in March. “They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.”

As part of June’s vulnerability patch batch release, Microsoft issued a fix for CVE-2026-45586. Nightmare Eclipse disclosed the vulnerability and limited PoC code in May under the name GreenPlasma. The vulnerability is a local privilege escalation, meaning it can be chained to a separate vulnerability to give users or processes with low-level privileges the ability to defeat OS protections and gain full SYSTEM rights needed to install malware.

Microsoft said CVE-2026-45586 required minimal complexity to exploit, required no user interaction, and that chances of active exploitation in the wild were likely. The vulnerability, the company added, was the result of “improper link resolution before file access (‘link following’) in [the] Windows Collaborative Translation Framework.” There are no indications that the vulnerability has been actively exploited so far.

Tuesday’s patch bundle also fixed MiniPlasma, a separate vulnerability disclosed by Nightmare Eclipse. Microsoft said in an email that the vulnerability is tracked as CVE-2020-17103, a vulnerability Microsoft first fixed six years ago. That means MiniPlasma was the result of a regression or an incomplete patch in its initial form. The company is in the process of updating Tuesday’s bulletin to note the republication.

Microsoft has yet to release patches for other vulnerabilities disclosed by Nightmare Eclipse. The company did provide manual instructions for mitigating YellowKey, a vulnerability that allows attackers to defeat Bitlocker full-disk encryption. That could be a boon when attackers have physical access to a device (the precise scenario Bitlocker is designed to protect against). The company has yet to fix the underlying cause of the vulnerability.

The status of other vulnerabilities disclosed by Nightmare Eclipse are also unclear at the moment. The researcher named one vulnerability, present in Windows Defender RedSun. Another, named BlueHammer, is also a local privilege escalation flaw that provides SYSTEM rights.

Over the past few months, Nightmare Eclipse has taken multiple potshots at Microsoft. The specific criticisms remain unclear, but many make references to complaints about the company’s vulnerability disclosure program. Microsoft, in turn, has publicly railed against the researcher for “not responsibly” disclosing the vulnerabilities and made a vailed reference to the possibility of pursuing legal action. After a public backlash, Microsoft later relented and vowed no such legal action would occur.

On Tuesday, Nightmare Eclipse published exploit code for a new Windows vulnerability. It’s a race condition that targets Defender.

Tuesday’s patch batch included fixes for roughly 200 vulnerabilities. Notwithstanding the appearance that MiniPlasma was fixed, two of them were also confirmed as zero-days.

Post updated to include information Microsoft provided after initial publication of this post.

ما الذي يجب مراقبته

توقعات الذكاء الاصطناعي — احتمالات وليست حقائق

  • Microsoft will likely address the remaining disclosed vulnerabilities, either through patches or mitigation instructions.

    مرجح · خلال أسابيع

  • The researcher may continue to disclose vulnerabilities if the dispute with Microsoft is not resolved.

    محتمل · خلال أشهر

أسئلة مفتوحة

  • What was the specific nature of the agreement between Microsoft and Nightmare Eclipse?
  • Will Microsoft release patches for the other disclosed vulnerabilities?
  • What are the potential consequences of the unpatched vulnerabilities?
  • What is the full extent of the damage caused by the alleged agreement violation?

مواضيع ذات صلة

This article was originally published by Ars Technica.

أخبار ذات صلة

المزيد حول هذا الموضوعmicrosoft