Too many zero-days: Microsoft threatens legal action
Microsoft is struggling with published evidence of unpatched security vulnerabilities. The company is now threatening legal action.
(Image: Daniel AJ Sokolov)
Evidence of security vulnerabilities in Microsoft Windows has been published multiple times recently without a security update being available. Such vulnerabilities were then also exploited, for example in the unpatched Windows zero-days RedSun, UnDefend, and BlueHammer. Microsoft disapproves of this. The company is threatening lawsuits and the police. The discoverer of the Windows vulnerabilities denies the accusations.
In a blog post, the Microsoft Security Response Center (MSRC) expresses annoyance that it was not informed about the security vulnerabilities in advance. This is fundamentally part of good practice in the IT security industry: As part of standardized Coordinated Vulnerability Disclosures (CVD), discoverers of a security vulnerability inform the responsible parties and give them a limited time to release updates to fix the flaw. Large organizations also regularly reward discoverers financially for responsible disclosure.
CVD is intended to prevent security vulnerabilities from being actively exploited while simultaneously encouraging software vendors to secure their products promptly. “Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences,” writes the MSRC. Microsoft will not refrain from suing both the actual perpetrators and the publishers “– as needed in cooperation with law enforcement around the world.”
Beware the Boomerang
While the legal prosecution of third parties who actively exploit security vulnerabilities is difficult but undisputed, experts have long warned against prosecuting security researchers. This is because it reduces the willingness to cooperate within the entire scene.
“In our experience, organizations with more mature security programs are less likely to threaten litigation because they understand that such threats reduce the chances of later reports of security flaws,” states, for example, a legal guide from the Cyberlaw Clinic at Harvard Law School and the Electronic Frontier Foundation (EFF) from autumn 2020. “Larger organizations without particular expertise in computer security may be more inclined to respond to a vulnerability report with cease-and-desist letters or legal threats.”
Added to this is the risk of Streisand effects: lawsuits can draw even more public attention to the plaintiff's security shortcomings. However, Microsoft has nothing more to lose in the case of the recent zero days.
Counter-Accusations
Microsoft has already deleted the GitHub account of the alleged discoverer of the security vulnerabilities in question (pseudonym Nightmare Eclipse). This was easy, as GitHub belongs to Microsoft, but it came too late. In total, Nightmare Eclipse (also Chaotic Eclipse, Dead Eclipse, or simply Eclipse) has disclosed no fewer than six Microsoft zero-days within six weeks: BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma (both tracing back to CVE-2020-17103).
Videos by heise
In doing so, he also drew on already known problems. According to a post on Blogspot, the “disclosure” of GreenPlasma is nothing more than a copy of the code available from Google's Project Zero since 2020. This Windows flaw allows arbitrary keys to be created in the Windows Registry without authorization.
In the same blog titled “Nightmare Eclipse,” the author dismisses the accusation of not having followed CVD rules as “defamation.” Rather, Microsoft had intentionally blocked his MSRC account, through which he had reported vulnerabilities free of charge. After multiple inquiries about the reason for the block, Microsoft deleted the account altogether without ever answering the questions.
The once-good reputation of the Microsoft Security Response Center has suffered greatly in the scene. “But to save money, Microsoft fired the skilled people, leaving flowchart followers,” IT security researcher Will Dormann summarized the issue on Mastodon in early April. He would not be surprised if Microsoft had closed the case because the reporter had not attached a video of the exploit. This is apparently now a requirement of the MSRC.
heise online has asked Microsoft for information on whether videos are indeed still required and what measures it will take to facilitate the reporting of security vulnerabilities.
(ds)
