In a notable turn of events within the Windows security landscape, researcher Nightmare-Eclipse, also known as Chaotic Eclipse, has found themselves at odds with Microsoft once again. The tech giant recently banned Eclipse’s GitHub account for reasons that remain undisclosed, prompting the researcher to transition their operations to GitLab. Compounding the situation, it has been reported that Microsoft also deleted the Microsoft account Eclipse utilized for reporting vulnerabilities.
In a passionate blog post, Eclipse characterized Microsoft’s actions as vindictive, reiterating their claims of unsuccessful communication attempts with the company. They lamented, “got zero pennies from doing so,” hinting at potential unpaid bug bounties from the Microsoft Security Response Center (MSRC) program. This initiative offers substantial rewards, ranging from ,000 to 0,000 for endpoint zero-day vulnerabilities, and up to 0,000 for exploits targeting Hyper-V.
Eclipse, who boasts a portfolio of six zero-day exploits, has hinted at a forthcoming reckoning on July 14, suggesting that more zero-day exploits may be unveiled. Their blog posts reflect a mix of frustration and fervor, directing pointed criticism at Microsoft and the MSRC. In a broad summary, Eclipse insinuates that Microsoft has either ignored their zero-day reports or failed to provide the promised bounties, resulting in financial repercussions for the researcher. Among their more striking statements, Eclipse claimed, “I was told personally by [Microsoft] that they will ruin my life and they did,” and alluded to a “dead-man switch” that could lead to severe consequences for Microsoft.
Critique of Microsoft’s Approach
Some industry insiders have voiced their concerns regarding Microsoft’s approach to security research. One commentator noted, “MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers.” This sentiment raises questions about the efficacy of the current MSRC team and their handling of vulnerability reports. It is speculated that Microsoft’s recent requirement for researchers to submit video evidence of exploits may have contributed to the friction between the company and Eclipse.
Despite the ongoing drama, Microsoft has remained silent on the specifics of the situation, leaving observers to speculate whether the conflict stems from an uncooperative researcher or a company that is difficult to engage with regarding security reports. The decision to ban Eclipse’s GitHub account has drawn significant criticism, particularly as it appears to achieve little for overall security, given that the exploits are already in circulation.
In an era where AI-driven security research is rapidly evolving, the traditional 90-day disclosure-to-patch timeline is becoming increasingly outdated. With both the time until exploit and the prevalence of unused exploits approaching zero, it may be prudent for Microsoft and other software developers to reassess their policies and practices.
Eclipse’s technical achievements are noteworthy, having released a series of zero-day exploits targeting Windows. These include BlueHammer, which gains access to the SYSTEM user via Defender; RedSun, which achieves similar access; UnDefend, which disables Defender; GreenPlasma, which accesses SYSTEM through the CTFMon service; MiniPlasma, which exploits a flaw in the Windows Cloud Filter driver; and YellowKey, a vulnerability in BitLocker that allows unauthorized access to encrypted drives.
Notably, BlueHammer, RedSun, and UnDefend have been confirmed as actively exploited in the wild, raising concerns that the other vulnerabilities may also be in use. Eclipse’s publication of full or partial proof-of-concept code has made it relatively easy for malicious actors to leverage these exploits.
