Evidence of security gaps in Microsoft Windows has recently been published several times without there being a security update. Such gaps were then exploited, for example in the unpatched Windows zero days RedSun, UnDefend and BlueHammer. Microsoft doesn’t like that. The company is threatening lawsuits and the police. The person who discovered the Windows vulnerabilities denies the allegations.
Read more after the ad
In a blog post, the Microsoft Security Response Center (MSRC) is annoyed that it was not informed about the security gaps in advance. This is generally good form in the IT security industry: As part of standardized Coordinated Vulnerability Disclosures (CVD), those who discover a security gap inform those responsible and give them a limited time to issue updates to fix the error. Large institutions also regularly reward explorers financially for responsible disclosure.
CVD is intended to prevent security vulnerabilities from being actively exploited and at the same time encourage software publishers to quickly secure their products. “Uncoordinated releases that provide proof-of-concept code for unpatched vulnerabilities to do-gooders are indefensible and have real consequences,” writes the MSRC. Microsoft will not refrain from suing both the actual perpetrators and the publishers “- as necessary in cooperation with law enforcement authorities around the world”.
Be careful boomerang
While prosecuting third parties who actively exploit security vulnerabilities is difficult but undisputed, experts have long warned against prosecuting security researchers. Because that reduces the willingness of the entire scene to cooperate.
“In our experience, organizations with more advanced security approaches are less likely to threaten lawsuits because they understand that this reduces the chances of subsequent vulnerability reports,” says a fall 2020 legal guide from the Cyberlaw Clinic at Harvard Law School and the Electronic Frontier Foundation (EFF). “Larger organizations without specific IT security expertise may be more inclined to respond to a report with warning letters or legal threats.”
Read more after the ad
There is also the risk of Streisand effects: lawsuits can draw public attention to the plaintiff’s security shortcomings. However, in the case of the recent zero days, Microsoft no longer has anything to lose here.
Counter-accusations
Microsoft has already deleted the Github account of the alleged discoverer of the security holes in question (pseudonym Nightmare Eclipse). That was easy since Github belongs to Microsoft, but it came too late. In total, Nightmare Eclipse (also Chaotic Eclipse, Dead Eclipse, or simply Eclipse) announced no fewer than six Microsoft zero days within six weeks: BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma and MiniPlasma (both dating back to CVE-2020-17103).
He also resorted to problems that were already known. According to a post on Blogspot, the “release” of GreenPlasma should be nothing more than a copy of the code that has been available from Google’s Project Zero since 2020. This Windows error allows unauthorized creation of arbitrary keys in the Windows registry.
In the same blog entitled “Nightmare Eclipse”, the author dismisses the accusation of not following CVD rules as “defamation”. Rather, Microsoft intentionally blocked his MSRC account, which he used to report vulnerabilities free of charge. After repeated inquiries about the reason for the ban, Microsoft deleted the account without ever answering the questions.
The previously good reputation of the Microsoft Security Response Center has suffered greatly in the scene. “To save money, Microsoft fired the talented people, which left only paragraph riders,” IT security researcher Will Dormann outlined the problem on Mastodon in early April. He wouldn’t be surprised if Microsoft had closed the case because the reporter didn’t include a video of the exploit. This is now apparently a requirement of the MSRC.
heise online has asked Microsoft for information as to whether videos are actually still required and what measures it will take to make it easier to report security gaps.
(ds)
