Microsoft Patches Zero-Days Amid Public Fallout With Researcher ‘Nightmare Eclipse’
Table of Contents
A Patch Cycle Fueled by Friction
Microsoft’s latest security update has done more than just plug technical holes; it has served as the latest chapter in an increasingly public and personal feud between the software giant and a security researcher operating under the pseudonym Nightmare Eclipse. On Tuesday, Microsoft released fixes for two high-severity zero-day vulnerabilities that were disclosed by the researcher, marking a tentative resolution to a standoff that has seen proof-of-concept (PoC) code leaked and accusations of betrayal traded in public forums.
The tension stems from a collapsed agreement between the two parties. Nightmare Eclipse claims that Microsoft reneged on a prior arrangement regarding the handling of specific vulnerabilities, leading the researcher to bypass traditional private disclosure channels. In a candid March post, the researcher alleged that the company had “stabbed me in the back,” leaving them in a precarious position. This breakdown in trust shifted the dynamic from collaborative security research to a high-stakes game of public disclosure.
The Technical Breakdown: GreenPlasma and the System Rights Gamble
Central to Tuesday’s patch bundle is the fix for CVE-2026-45586, a flaw dubbed “GreenPlasma” by the researcher. Technically categorized as a local privilege escalation (LPE), GreenPlasma is particularly dangerous because it allows an attacker—or a malicious process already on the system—to bypass OS protections and seize full SYSTEM rights. These are the highest level of privileges in Windows, effectively giving an attacker the keys to the kingdom to install persistent malware or disable security software.
According to Microsoft, the vulnerability originated from improper link resolution before file access, specifically within the Windows Collaborative Translation Framework. The company admitted that the exploit requires minimal complexity and no user interaction, making the likelihood of active exploitation in the wild high, although there is currently no evidence that the flaw has been weaponized by threat actors yet.
The Case of the ‘Zombie’ Bug: MiniPlasma
The update also addressed another vulnerability known as “MiniPlasma,” which reveals a frustrating trend in software maintenance: the regression. Microsoft has identified this flaw as CVE-2020-17103, a vulnerability the company claims to have already fixed six years ago. The reappearance of the bug suggests that a previous patch was either incomplete or was accidentally overwritten by later code updates, effectively resurrecting a dormant security risk.
Unresolved Risks and the Bitlocker Problem
Despite the Tuesday fixes, several high-profile vulnerabilities disclosed by Nightmare Eclipse remain open. The most concerning is “YellowKey,” a flaw that targets Bitlocker full-disk encryption. While Microsoft has provided manual mitigation steps to protect users, it has not yet released a fundamental fix for the underlying cause. This represents a critical gap for users who rely on Bitlocker to protect data from attackers with physical access to their hardware.
Other outstanding reports include “RedSun,” which targets Windows Defender, and “BlueHammer,” another LPE flaw capable of granting SYSTEM privileges. The volatility of the situation was underscored on Tuesday when Nightmare Eclipse published new exploit code for a race condition targeting Defender, signaling that the researcher is not yet finished exposing the OS’s weaknesses.
A Culture Clash in Bug Hunting
The broader conflict highlights a growing rift in the cybersecurity community regarding Vulnerability Disclosure Programs (VDPs). Microsoft has criticized Nightmare Eclipse for not following “responsible disclosure” protocols, at one point even hinting at legal action. However, after a wave of backlash from the research community, the company pivoted, eventually vowing that no legal proceedings would be pursued.
For now, the release of these patches brings a momentary lull in the conflict, but with several named vulnerabilities still pending a permanent fix, the relationship between Microsoft and its external auditors remains precarious.
