Microsoft has recently faced criticism for its legal threats against researchers who disclose zero-day vulnerabilities without prior notification. The issue centers around a researcher, known as Chaotic Eclipse and Nightmare Eclipse, who revealed details and proof-of-concept exploits for several unpatched vulnerabilities in Microsoft products. A disagreement during the disclosure process led the researcher to publish these vulnerabilities, which include RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. These vulnerabilities primarily allow privilege escalation, with YellowKey bypassing BitLocker protection and UnDefend affecting Microsoft Defender.
Microsoft has started releasing patches, but some vulnerabilities like BlueHammer, RedSun, and UnDefend have already been exploited. The researcher has accused Microsoft of ignoring communications and defaming them, while Microsoft criticized the researcher for exposing customers to risk. The company has disabled the researcher’s accounts on its platforms and emphasized the importance of coordinated disclosures to protect customers.
The backlash from the cybersecurity community prompted Microsoft to clarify its stance, stating it does not intend to take legal action against researchers conducting security research unless malicious activity causing harm is involved. Microsoft expressed its commitment to a constructive relationship with the security community, acknowledging potential misunderstandings and emphasizing respect and professionalism. Despite Microsoft’s clarifications, Nightmare Eclipse suggested that legal action was indeed taken against them and announced plans to release a full BitLocker bypass soon.
