


























Anonymous researcher drops six Windows zero-days in six weeks after alleged Microsoft bug bounty program failures
Dead phone batteries during emergencies are dangerous, but six unpatched Windows exploits actively hunting your enterprise network? That’s the kind of chaos money can’t fix. An anonymous researcher called “Nightmare-Eclipse“ has spent six weeks systematically nuking Microsoft’s security reputation, dropping working zero-day exploits faster than Redmond can patch them. Your Windows systems are now caught in the crossfire of tech’s ugliest disclosure meltdown.
Three critical exploits are powering real-world ransomware attacks across enterprise networks.
BlueHammer, RedSun, and UnDefend aren’t just proof-of-concept demos gathering GitHub stars. Security firm Huntress documents attackers chaining these tools to escalate privileges, blind Microsoft Defender, and deploy ransomware. CISA reportedly added BlueHammer to its Known Exploited Vulnerabilities catalog — government-speak for “this is actively ruining people’s day.”
The other five exploits? Still allegedly unpatched, with YellowKey’s BitLocker bypass flagged by Microsoft itself as “exploitation more likely.” You’re defending against weapons-grade code that’s been public for weeks.
Legal threats and blame-shifting replace the technical response enterprises desperately need.
Rather than quietly fixing the mess, Microsoft published a blog invoking its “Digital Crimes Unit” and threatening to coordinate with law enforcement against researchers who violate disclosure norms. Former Microsoft security architect Katie Moussouris calls the response “vaguely threatening” and warns it could chill future bug reporting.
Vulnerability disclosure expert Dustin Childs points out the obvious: “CVD is a two-way street” — you can’t publicly accuse someone of violating coordination after allegedly deleting their reporting account. Microsoft claims researchers get “compensated and acknowledged,” which directly contradicts Nightmare’s allegations of deleted accounts, withheld payments, and public defamation.
The researcher’s promised “bone shattering” finale could unleash even deadlier Windows exploits.
Nightmare-Eclipse has marked July 14 for a “bone shattering” disclosure that promises to dwarf the current chaos. The theatrical language masks serious preparation requirements: patch everything from April, monitor for abnormal Defender behavior, and reconsider TPM-only BitLocker configurations.
Kevin Beaumont, another Microsoft alumnus, calls this whole situation a “dumpster fire of Microsoft’s own making,” noting the company previously hired zero-day dropper SandboxEscaper rather than prosecuting her.
The bitter irony? Nightmare‘s dramatic escalation might be the only thing forcing Microsoft to actually listen to researchers who’ve been saying the company is “difficult to work with” for years. Unfortunately, your security team gets to manage the fallout while two tech giants settle their grudge match in public.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。