Son Dakika
RUПропажа двух девочек в Туве: расследование под личным контролем прокурораAULive Updates: Mexico vs EnglandKR전공의 근무 시간 줄었지만 정신 건강 지표 악화…근무 강도 완화 검토 필요DEGesundheitsreform: Wichtige Änderungen vor VerabschiedungCN文创消费热潮下的“大生意”与“隐忧”AUObjects on North Queensland Beach Likely Space Debris, Australian Space Agency SaysDESPD-Politiker für Übergangsfrist bei Ende der „Rente mit 63“DEBundeskabinett will Haushalt 2027 mit mehr Ausgaben und Schulden auf den Weg bringenCN蘆竹L303棕線公車轉型桃小巴 7月6日起試辦DEFahrermangel: Verkehrsunternehmen atmen auf – doch das Problem droht sich zu verschärfenRUПропажа двух девочек в Туве: расследование под личным контролем прокурораAULive Updates: Mexico vs EnglandKR전공의 근무 시간 줄었지만 정신 건강 지표 악화…근무 강도 완화 검토 필요DEGesundheitsreform: Wichtige Änderungen vor VerabschiedungCN文创消费热潮下的“大生意”与“隐忧”AUObjects on North Queensland Beach Likely Space Debris, Australian Space Agency SaysDESPD-Politiker für Übergangsfrist bei Ende der „Rente mit 63“DEBundeskabinett will Haushalt 2027 mit mehr Ausgaben und Schulden auf den Weg bringenCN蘆竹L303棕線公車轉型桃小巴 7月6日起試辦DEFahrermangel: Verkehrsunternehmen atmen auf – doch das Problem droht sich zu verschärfen
Newsgather
GeriMicrosoft Fixes Two Zero-Days Disclosed by Researcher in Dispute
Microsoft Fixes Two Zero-Days Disclosed by Researcher in Dispute
Acil
Ars Technica09.06.2026Teknoloji3 dk okumaUnited States

Microsoft Fixes Two Zero-Days Disclosed by Researcher in Dispute

Hızlı Bakış

  • Microsoft released fixes for two high-severity zero-day vulnerabilities disclosed by a researcher known as Nightmare Eclipse.
  • The researcher claims Microsoft broke an agreement, leading to the public disclosure of flaws, including CVE-2026-45586 and CVE-2020-17103.

Yapay zekâ özeti

Neden Önemli?

A researcher known as Nightmare Eclipse has publicly disclosed several high-severity zero-day vulnerabilities in Microsoft products after alleging a breach of agreement with the software giant. Microsoft has now released patches for two of these vulnerabilities, CVE-2026-45586 and CVE-2020-17103, while other disclosed flaws remain unaddressed.

Yazı boyutu

Microsoft on Tuesday released fixes for two high-severity zero-days that were disclosed by a researcher who has been locked in a testy beef with the software giant.

Nightmare Eclipse, the pseudonym the researcher goes by, released a handful of high-severity vulnerabilities in recent months, making them zero-days that had the potential to be exploited in the wild. The researcher has said the disclosures, which included proof-of-concept code, came after Microsoft reneged on an arrangement the two made regarding vulnerabilities they had discussed.

Disclosure drama

“But someone violated our agreement and left me homeless with nothing,” Nightmare Eclipse wrote in March. “They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.”

As part of June’s vulnerability patch batch release, Microsoft issued a fix for CVE-2026-45586. Nightmare Eclipse disclosed the vulnerability and limited PoC code in May under the name GreenPlasma. The vulnerability is a local privilege escalation, meaning it can be chained to a separate vulnerability to give users or processes with low-level privileges the ability to defeat OS protections and gain full SYSTEM rights needed to install malware.

Microsoft said CVE-2026-45586 required minimal complexity to exploit, required no user interaction, and that chances of active exploitation in the wild were likely. The vulnerability, the company added, was the result of “improper link resolution before file access (‘link following’) in [the] Windows Collaborative Translation Framework.” There are no indications that the vulnerability has been actively exploited so far.

Tuesday’s patch bundle also fixed MiniPlasma, a separate vulnerability disclosed by Nightmare Eclipse. Microsoft said in an email that the vulnerability is tracked as CVE-2020-17103, a vulnerability Microsoft first fixed six years ago. That means MiniPlasma was the result of a regression or an incomplete patch in its initial form. The company is in the process of updating Tuesday’s bulletin to note the republication.

Microsoft has yet to release patches for other vulnerabilities disclosed by Nightmare Eclipse. The company did provide manual instructions for mitigating YellowKey, a vulnerability that allows attackers to defeat Bitlocker full-disk encryption. That could be a boon when attackers have physical access to a device (the precise scenario Bitlocker is designed to protect against). The company has yet to fix the underlying cause of the vulnerability.

The status of other vulnerabilities disclosed by Nightmare Eclipse are also unclear at the moment. The researcher named one vulnerability, present in Windows Defender RedSun. Another, named BlueHammer, is also a local privilege escalation flaw that provides SYSTEM rights.

Over the past few months, Nightmare Eclipse has taken multiple potshots at Microsoft. The specific criticisms remain unclear, but many make references to complaints about the company’s vulnerability disclosure program. Microsoft, in turn, has publicly railed against the researcher for “not responsibly” disclosing the vulnerabilities and made a vailed reference to the possibility of pursuing legal action. After a public backlash, Microsoft later relented and vowed no such legal action would occur.

On Tuesday, Nightmare Eclipse published exploit code for a new Windows vulnerability. It’s a race condition that targets Defender.

Tuesday’s patch batch included fixes for roughly 200 vulnerabilities. Notwithstanding the appearance that MiniPlasma was fixed, two of them were also confirmed as zero-days.

Post updated to include information Microsoft provided after initial publication of this post.

Bundan Sonra Ne Olabilir?

Yapay zekâ öngörüsü — kesinlik taşımaz

  • Microsoft will likely address the remaining disclosed vulnerabilities, either through patches or mitigation instructions.

    Muhtemel · Haftalar içinde

  • The researcher may continue to disclose vulnerabilities if the dispute with Microsoft is not resolved.

    Olası · Aylar içinde

Açık Sorular

  • What was the specific nature of the agreement between Microsoft and Nightmare Eclipse?
  • Will Microsoft release patches for the other disclosed vulnerabilities?
  • What are the potential consequences of the unpatched vulnerabilities?
  • What is the full extent of the damage caused by the alleged agreement violation?

İlgili Konular

Bu haber ilk olarak şurada yayınlandı: Ars Technica.

İlgili Haberler

Bu konuda daha fazlamicrosoft