Tag: RedSun

  • Microsoft reverses policy after rogue researcher Nightmare Eclipse

    Microsoft reverses policy after rogue researcher Nightmare Eclipse

    Key Takeaway

    – Microsoft reversed its aggressive legal stance against security researcher “Nightmare Eclipse” after industry backlash.
    – The company abandoned the term “responsible disclosure” and returned to its “Coordinated Vulnerability Disclosure” framework.
    – Microsoft admitted automated platform crackdowns fell short of professional standards and promised good-faith engagement.
    – Despite the policy retreat, the core threat remains: exploit developers are bypassing corporate reporting channels.
    – Nightmare Eclipse plans a June exploit targeting Secure Boot and BitLocker encryption on virtual machines.

    Microsoft Reverses Course on Security Researcher Threats

    Microsoft has officially backpedaled on its aggressive legal stance against the independent security researcher operating under the alias “Nightmare Eclipse.” Following severe industry backlash from the global cybersecurity community, the tech giant quietly scrubbed its recent corporate rhetoric that equated uncoordinated bug disclosures with malicious behavior. The sudden shift represents a major damage-control effort by Redmond to patch over rapidly deteriorating relations with external threat analysts and security professionals who form the backbone of modern software defense ecosystems.

    The Original Dispute and Escalation

    The dispute originally ignited after Nightmare Eclipse bypassed traditional corporate reporting channels to publish functional proof-of-concept code for several high-severity Windows flaws. The campaign successfully weaponized zero-day vulnerabilities in foundational defensive systems, deploying local privilege escalation chains such as BlueHammer (CVE-2026-33825) and the RedSun tool designed to blind Microsoft Defender. Microsoft’s initial retaliation—which included aggressive legal threats from its Digital Crimes Unit and sweeping account bans across code-hosting platforms such as GitHub and GitLab—drew widespread condemnation from enterprise security leaders, who warned that heavy-handed corporate bullying would stifle defensive research and leave active networks exposed to malicious actors.

    Policy Update and Lingering Threats

    In its latest policy update, Microsoft explicitly clarified that it has no intention of pursuing legal actions against individuals engaged in legitimate vulnerability identification. Notably, the software giant has completely abandoned the controversial term “responsible disclosure” from its official messaging channels. The company has instead pivoted back to its classic “Coordinated Vulnerability Disclosure” framework, admitting that some of its recent automated platform crackdowns fell short of professional community standards and promising a good-faith engagement strategy for reporting going forward.

    Unresolved Vulnerabilities and Future Exploits

    Despite Microsoft’s structural policy retreat, the underlying architectural threat vector remains unresolved. Nightmare Eclipse has ignored the corporate olive branch, confirming that multiple independent exploit developers are now funneling unpatched security bugs directly to them to avoid corporate reporting pipelines entirely. The pseudonymous developer has already teased an imminent June exploit payload targeting legacy Secure Boot lifecycle vulnerabilities, claiming the upcoming code drop will completely bypass BitLocker hardware encryption on operational virtual machines ahead of a forecasted mid-summer retribution deadline.

    Sources
    Tags: , , , ,
  • Microsoft patches Defender zero-days exploited in active attacks

    Microsoft patches Defender zero-days exploited in active attacks

    Key Takeaway

    – Two Windows Defender zero-days (RedSun and UnDefend) were exploited in the wild before patches, with CVE-2026-41091 (7.8) allowing SYSTEM privilege escalation in Malware Protection Engine and CVE-2026-45498 (4.0) causing DoS in Antimalware Platform.
    – Patches are available in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7; verify deployments are updated, especially in air-gapped or managed environments.
    – CISA added both CVEs to the Known Exploited Vulnerabilities catalog (deadline June 3, 2026 for Federal agencies); third related flaw CVE-2026-45584 was also fixed by the same engine update but not yet widely exploited.

    On May 21, 2026, Microsoft pushed out-of-band patches for two Windows Defender zero-days that real attacks had already confirmed. Researcher Chaotic Eclipse disclosed both vulnerabilities, publicly known as RedSun and UnDefend, without coordinated disclosure. They had no CVEs and no fixes when first released. Endpoint security firm Huntress confirmed active exploitation before the patches existed.

    Two Windows Defender zero-days and their impact

    The more severe of the two, CVE-2026-41091, carries a CVSS score of 7.8 and targets the Microsoft Malware Protection Engine. The flaw stems from an improper link resolution before file access, which lets a low-privileged attacker manipulate a symbolic link or directory junction during a Defender scan and escalate to full SYSTEM-level control. No elevated starting permissions are required.

    Second vulnerability details

    The second, CVE-2026-45498, is rated CVSS 4.0 and targets the Microsoft Defender Antimalware Platform. It functions as a denial-of-service against the protection engine itself, silently blocking definition updates and degrading Defender’s ability to detect new threats. The flaw affects System Center Endpoint Protection, System Center 2012 R2 and 2012 Endpoint Protection, and Security Essentials in addition to standard Defender installations. Neither vulnerability triggers a visible alert to the user or administrator during exploitation.

    Resolution and deployment guidance

    Both CVEs are resolved in Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7. Microsoft delivers the fixes automatically through Defender’s built-in update mechanism. Administrators should confirm their deployments are running those versions or newer, particularly in air-gapped or managed environments where automatic updates may be delayed.

    Regulatory and broader context

    CISA added both vulnerabilities to its Known Exploited Vulnerabilities catalog on May 20, 2026, giving Federal Civilian Executive Branch agencies until June 3 to confirm patching. The same engine update that resolves CVE-2026-41091 also addresses a third flaw, CVE-2026-45584, a heap-based buffer overflow with a CVSS of 8.1 that allows remote code execution without user interaction. CVE-2026-45584 has not yet been confirmed exploited in the wild.

    Background and related disclosures

    RedSun and UnDefend are the fourth and fifth zero-days released by Chaotic Eclipse over the past six weeks, all targeting Windows security components. MiniPlasma, which gives SYSTEM access on fully patched Windows 11 machines via the Cloud Filter driver, remains unpatched. For more on that disclosure and its context within the broader series, see our earlier report:

    • BleepingComputer
    • Security Week
    • Microsoft
    • nvd.nist.gov
    Sources
    Tags: , , , ,