A security researcher has taken the bold step of publishing a working exploit for a Windows zero-day vulnerability on GitHub, following what many perceive as a lack of action from Microsoft’s Security Response Center (MSRC). The exploit, named BlueHammer, allows attackers to gain SYSTEM-level privileges by exploiting a race condition within Windows Defender’s signature update mechanism. The researcher, known as Chaotic Eclipse, made the exploit available on April 2, stating, “I was not bluffing Microsoft, and I’m doing it again.” The repository has since garnered significant attention, with over 100 forks and nearly 300 stars, reflecting a growing interest from both cybersecurity researchers and potential malicious actors. Will Dormann, a principal vulnerability analyst at Tharros, confirmed that while BlueHammer is functional, it may not always operate with complete reliability. Notably, Microsoft has yet to issue a patch for this vulnerability.
How BlueHammer Works
BlueHammer represents a local privilege escalation flaw that cleverly combines a time-of-check to time-of-use (TOCTOU) race condition with path confusion. Justin Elzem, CTO at TrustedSEC, elaborated on the mechanics of the exploit, explaining that it targets Windows Defender’s signature update process. In this scenario, a privileged service operating under SYSTEM privileges follows a file path that a low-privilege attacker can manipulate mid-operation using symlinks and junctions. Given that Windows Defender operates with the highest privileges, it becomes an attractive vector for exploitation. Once the exploit is successfully executed, the attacker gains access to the Security Account Manager (SAM) database, which contains password hashes for all local accounts, effectively allowing full SYSTEM escalation. Dormann succinctly noted, “at that point, [the attackers] basically own the system, and can do things like spawn a SYSTEM-privileged shell.”
The publication of a Windows zero-day exploit on GitHub amid a breakdown in coordinated disclosure is becoming a familiar narrative. Upon releasing the exploit, Chaotic Eclipse sarcastically acknowledged MSRC leadership for “making this possible” and, unlike previous disclosures, opted not to provide any technical write-up. A significant point of contention arose from reports that MSRC required a video demonstration of the exploit during the vulnerability submission process. Microsoft later clarified that such video demonstrations are not a formal requirement for disclosures. Dormann provided critical insight into the situation, stating:
“MSRC used to be quite excellent to work with. But to save money Microsoft fired the skilled people, leaving flowchart followers. I wouldn’t be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that’s apparently an MSRC requirement now.”
Will Dormann, principal vulnerability analyst at Tharros
Wider Risk and Outlook
The immediate risk posed to Windows users is exacerbated by a concerning lack of detection coverage. Currently, only 8 out of 72 cybersecurity vendors on VirusTotal flag the exploit file as malicious. Given that the proof-of-concept is written in C and is publicly accessible, attackers have the capability to recompile it into variants with unique hashes, thereby evading signature-based detection entirely. In its official response, Microsoft reiterated its commitment to coordinated vulnerability disclosure, yet it did not address the communication breakdown within MSRC regarding the BlueHammer report. This situation is reminiscent of previous instances where Microsoft has left unpatched Windows zero-days vulnerable to exploitation while threat actors actively sought to take advantage of them.
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible. We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community.”
Microsoft spokesperson
The widening gap between Microsoft’s stated commitments and the handling of the BlueHammer report by MSRC highlights a persistent tension within the security industry: when vulnerability disclosure programs falter, researchers are often left with the difficult choice of either withholding dangerous bugs or making them public.
