Recently, there has been a lot of evidence of security vulnerabilities in Windows without any security updates being released by the company. Such vulnerabilities were exploited in the unpatched zero-day Windows RedSun, UnDefend and BlueHammer. Microsoft is condemning this and threatening legal action. The researcher who revealed the Windows vulnerabilities denies the charges.
In a blog post, the Microsoft Security Response Center (MSRC) expressed the company's frustration that it was not informed about the vulnerabilities in advance. This is essentially good practice in the IT security industry: Under the standard Coordinated Vulnerability Disclosures (CVDs), researchers who disclose a vulnerability notify the company and give it a limited time to release patch updates. Large organizations regularly reward researchers who uncover security vulnerabilities.
Each CVD aims to prevent the active exploitation of security vulnerabilities, while at the same time encouraging software vendors to secure their products promptly.
“Uncoordinated disclosures that place proof-of-concept code for unpatched vulnerabilities in the hands of bad actors are never justified and have real-world consequences,” writes the MSRC"Microsoft will not hesitate to sue both the actual perpetrators and the publishers."
Beware of the Boomerang
Of course, legal prosecution of third parties who exploit security vulnerabilities is difficult, but experts have long warned that it is undoubtedly not helpful, as it reduces the willingness to cooperate across the board.
“In our experience, organizations with more mature security programs are less likely to threaten legal action because they understand that such threats reduce the chances of subsequent reports of security flaws,” states a legal guide. from the Cyberlaw Clinic at Harvard Law School and the Electronic Frontier Foundation (EFF). “Larger organizations without much experience in computer security may be more inclined to respond to a vulnerability report with cease-and-desist letters or legal threats.”
Added to this is the risk of Streisand effects: lawsuits can draw even more public attention to the plaintiff's security shortcomings.
The other side
Microsoft has deleted the GitHub account of the researcher of these vulnerabilities (pseudonym Nightmare EclipseThis was easy, since GitHub is owned by Microsoft, but it came too late.
In total, Nightmare Eclipse (or Chaotic Eclipse, Dead Eclipse, or simply Eclipse) revealed at least six Microsoft zero-days in six weeks: BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma and MiniPlasma (both in CVE-2020-17103).
According with a post on Blogspot, the GreenPlasma “disclosure” is nothing more than a copy of the code made available by Google's Project Zero from 2020This Windows flaw allows the creation of arbitrary keys in the Windows Registry without authorization.
In the same blog titled “Nightmare Eclipse,” the author denies the accusation that he did not follow the CVD rules. Instead, Microsoft intentionally blocked his MSRC account, through which he had reported vulnerabilities for free without asking for money. After many questions about the reason for the blocking, Microsoft completely deleted the account without ever answering the questions.
The once-good reputation of Microsoft's Security Response Center has taken a significant hit.
"But to save money, Microsoft laid off experts, leaving only flowchart followers," the security researcher said. Will Dormann at Mastodon in early April.
George is still wondering what he is doing here….
