Microsoft’s June Patch Tuesday bundle included a zero-day fix that arrived wrapped in a bitter, months-long dispute between the company and a security researcher known as Nightmare Eclipse. The patch — one of roughly 200 vulnerabilities fixed Tuesday — also addressed a separate flaw that Microsoft first claimed to have fixed six years ago but has apparently resurfaced.
A Dispute That Turned Personal
The rivalry between Microsoft and Nightmare Eclipse has been playing out publicly for months. The researcher has released multiple zero-day exploit details for Windows vulnerabilities, including tools named RedSun and BlueHammer, which target Windows Defender and enable local privilege escalation to SYSTEM-level access. Another disclosed flaw, YellowKey, defeats BitLocker full-disk encryption when an attacker has physical access to a device — the exact scenario BitLocker was designed to prevent.
Microsoft initially pushed back hard. The company publicly criticized Nightmare Eclipse for “not responsibly” disclosing vulnerabilities and made veiled threats about legal action. After significant public backlash, Microsoft backed off the legal threats but still hasn’t fixed several of the disclosed flaws. For YellowKey, the company offered only manual mitigation instructions rather than an actual patch.
On Tuesday — the same day Microsoft released its enormous patch bundle — Nightmare Eclipse published exploit code for yet another Windows vulnerability, a race condition targeting Defender. The timing felt deliberate.
The Regression Problem
Perhaps most embarrassing for Microsoft: Tuesday’s patches also fixed a vulnerability called MiniPlasma, which Microsoft tracks as CVE-2020-17103. The company first patched this vulnerability six years ago, meaning MiniPlasma is either a regression or the original patch was incomplete. Either scenario raises uncomfortable questions about Microsoft’s testing and patch verification processes.
Microsoft said it’s updating its security bulletin to reflect the republication. The company confirmed that two of the roughly 200 vulnerabilities in Tuesday’s bundle were being actively exploited as zero-days.
What’s Still Unpatched
The status of Nightmare Eclipse’s other disclosed vulnerabilities — RedSun and BlueHammer — remains unclear. Neither has received a patch. Given the researcher’s cadence of public disclosures and Microsoft’s slow response, more public exploit code may be coming.
The Bigger Picture
This saga highlights a growing tension in the security research community. Researchers who discover critical flaws sometimes go public when they feel vendors are dragging their feet. Vendors argue that premature disclosure puts customers at risk. Both sides have valid points, but when a company threatens legal action against a researcher who found vulnerabilities in its products, it damages trust across the ecosystem.
What to Do
If you haven’t applied Tuesday’s patches yet, do it now. With two confirmed zero-days and a regression of a six-year-old vulnerability, this isn’t a bundle to sit on. And if you’re relying on BitLocker for physical security, be aware that YellowKey remains unpatched — the manual mitigations Microsoft published are your only defense for now.
