Earlier this month, security expert and researcher "Chaotic Eclipse" (also referred to as Nightmare-Eclipse) released a zero-day vulnerability calledYellowKey, which enabled them toAccess BitLocker-encrypted drives on Windows 11 using a basic USB stick. Can't think of any other explanation besides the fact that this was done on purpose. Also, for some reason, only Windows 11 (+Server 2022/2025) is impacted; Windows 10 isn't,they explained.
Last week, Microsoft officially confirmed its knowledge of the security feature bypass vulnerability in Windows. It also revealed that it is monitoring the YellowKey zero-day exploit, designated as CVE-2026-45585, andshared mitigation measuresto stop it from obtaining unauthorized access to secured drives.The prototype for this security flaw has been released publicly, going against established coordinated vulnerability guidelines,the company added.
After stating that a backdoor in Windows 11's BitLocker is intentional, the security researcher's GitHub account was subsequently banned by Microsoft for unknown reasons, prompting them to move to GitLab (viaTom's Hardware).
Interestingly, it seems that the companydeleted Chaotic Eclipse's Microsoft account, which they had used to report the issues. Eclipse characterized Microsoft's actions as"vindictive." In a detailed blog post, they indicated: Let me make sure I understand, when I specifically asked you to talk to me, you said no, embarrassed me, and made certain to insult me in front of others.
You slander me publicly with your CVE-2026-45585 advisory, even though you actually removed the Microsoft account I used to report issues to you, and I didn't receive a single penny for it, yet I still did it like a fool.
Now you're taking the initiative to flag my GitHub account and remove it from public view, just like that? You're showing everyone that you're actively escalating this conflict, but I'm done pleading with you.
I may come across as a crazy person complaining, but I have evidence for every word I've said. I just can't share it right now. Why? Microsoft still has control over me; this situation has been going on for years, and I can't keep quiet any longer. I hope to be able to release the documents soon.
Note this date, July 14th, I will ensure your bones are broken on that day. Nothing will be launched this June (or perhaps I might release something, depending on the situation).
The point of conflict between the security expert and Microsoft appears to originate fromunpaid bounties from the MSRC program. Nightmare-Eclipse stated that Microsoft ignored their attempts to communicate and that theydidn't get a single penny from doing that.
Microsoft's MSRC (Microsoft Security Response Center) initiative offers payments ranging from $30,000 to $100,000 per endpoint zero-day vulnerability, with the amount varying based on specific circumstances. The sum may increase to$250,000 if you can circumvent Hyper-V.
Microsoft evaluates various aspects when compensating security researchers for reporting significant vulnerabilities, such as the seriousness of the problem, how simple it is to replicate and exploit, and the general standard of the report — ranging from well-documented details to a functional demonstration.
Therefore, it appears that Eclipse might be suggesting that Microsoft overlooked and declined their zero-day reports. Another possibility is that the company declined to offer the reward to the security researcher, who has already identified six zero-day vulnerabilities.
When releasing the YellowKey zero-day vulnerability, Eclipse stated that theycould have earned a lot of money by selling this, but no sum of money can stop me from my resolve against Microsoft.
But it appears that Eclipse may be preparing a more troubling and alarming retaliation against Microsoft on July 14:
Note this date, July 14th, I will ensure your bones are broken on that day. Nothing will be released this June (or perhaps I might release something, depending on the situation),The researcher added. This appears to be a reaction in their blog post asserting,They were personally informed by Microsoft that they would ruin my life, and they did," mentioning the existence of a dead-man switch of some kind, and that they "will ensure Microsoft's bones are broken.
In this regard, Microsoft has not commented on the issue, prompting me to question whether Eclipse's assertions are accurate or if the researcher simply did not fulfill the specific criteria set by the MSRC program for obtaining a reward for reporting a critical vulnerability. I will closely monitor this development, update this article, and provide any additional information to keep you informed.
Join us on Reddit at r/to exchange your thoughts and talk about our newest updates, critiques, and other content.
Liked this article? To discover more stories like this, follow us on MSN by clicking the +Follow button located at the top of this page.
No comments:
Post a Comment