Prismix
Hacker News — AI on Front Page · · 6 min read

GitHub bans security researcher who posted zero-day Windows exploits

#security

Mirrored from Hacker News — AI on Front Page for archival readability. Support the source by reading on the original site.

231 pts · 117 comments on Hacker News

Like Read original ↗
Entry blocked / access denied
(Image credit: Getty Images)
Follow us
Add us as a preferred source on Google
Subscribe to our newsletter

There's been some drama unfolding lately in the Windows security world, and today's episode comes from yet another apparent run-in of researcher Nightmare-Eclipse (aka Chaotic Eclipse) against Microsoft. The company saw fit to ban Eclipse's GitHub account for as-of-yet unspecified reasons, forcing them to pack up and move shop to GitLab instead. Additionally, the Redmond firm had allegedly already deleted the Microsoft account Eclipse used for reporting the bugs.

In a blog post, Eclipse claims this action was vindictive, stating once again that Microsoft refused communication attempts and that they "got zero pennies from doing so", a likely allusion to unpaid bug bounties from the MSRC program. The initiative pays out up to $30,000 to $100,000 for per end-point zero-day depending on conditions, and a cool $250,000 if you can crack open Hyper-V. Already having six zero-day exploits under their belt, Eclipse claims that July 14 will bring a reckoning of sorts for the company, hypothetically in the form of more zero-day exploits being published.

Eclipse's dramatic dispute with Microsoft has been ongoing since early April, when they published the BlueHammer zero-day without warning. The language in their blog posts is unclear and passionate, directing cargo tanks of vitriol at Microsoft/MSRC. As a broad summary, Eclipse implies that Microsoft ignored or refused their zero-day reports and/or did not pay out bounties as requested, somehow causing financial harm in the process. Among other statements, Eclipse says "[they were] told personally by [Microsoft] that they will ruin my life and they did", that there's a dead-man switch of some sort, and that they "will make sure [Microsoft's] bones are shattered."

Latest Videos From

The saga has drawn speculation from other experts, like William Dormann from Tharros, who said that "MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."

Microsoft has been mum on any details about these matters, so it's hard to tell if the situation is about an uncooperative researcher who doesn't follow standard disclosure rules or a company being difficult about security reports. Regardless, the move to ban Eclipse's GitHub account makes for poor optics, as it is being heavily criticized, and ultimately achieves nothing for security, since the code is out there anyway.

In this day and age, when AI-powered security research has arguably made the standard 90-day disclosure-to-patch window completely obsolete, and both time-until-exploit and unused exploits are both nearing zero, Microsoft and other software players would do well to adjust their policies.

Eclipse's technical track record is impressive. They published a string of zero-day exploits for Windows: BlueHammer gets access to the SYSTEM user via Defender, and RedSun does the same; UnDefend knocks Defender offline; GreenPlasma gets SYSTEM access via the CTFMon service, while MiniPlasma grants similar access via a flaw in the Windows Cloud Filter driver. Finally, there's YellowKey, a vulnerability in BitLocker that lets an attacker open up encrypted drives with next to no effort — precisely the action the technology was designed to prevent.

Stay On the Cutting Edge: Get the Tom's Hardware Newsletter

Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.

BlueHammer, RedSun, and UnDefend have all been confirmed to be undergoing active exploitation in the wild, and it's not hard to imagine the others are as well, as Eclipse's publications of full or partial proof-of-concept code made it trivial for an interested party to use them.

Google Preferred Source

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

TOPICS
Bruno Ferreira
Contributor

Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.

  • I don't get why MS does this. is not like they going to stop looking for zero day windows exploits.
    Reply
  • I mean... the AI Bros are also taking the vindictive route on security.

    "AI found this. We're breaking embargo on every CVE report, so you use the same AI we did that found this."
    Reply
  • rgd1101 said:
    I don't get why MS does this. is not like they going to stop looking for zero day windows exploits.
    All this proves is why one company should not be allowed to control so many services.

    Using GitHub to punish a security researcher for releasing information about Windows exploits is inappropriate and certainly isn't going to stop them from releasing similar information in the future. If anything, this is just going to encourage them to look ever harder for damaging zero-days.
    Reply
  • So fire will rain down on Microsoft on 14 juillet you say?

    Tremble, tyrants and ye traitors!
    The disgrace of all parties, tremble!
    Your parricidal schemes will finally receive their due!
    (That was the least bloody verse I could find in La Marseillaise.... Yikes)
    Reply
  • “Flowchart followers”. Almost every line of work has more experienced people denigrating the less experienced, but in tech it’s extreme. Now less experienced people can’t even get jobs because they’re being replaced by more experienced people using AI. That’ll show those diaper shitters!
    Reply
  • Microsoft's massive bureaucracy of position levels and rigid policies has allowed them to lose control of the optics of this situation, one which is only going from bad to worse. Of course, M$ usually doesn't even seem to be aware of the optics on the things they do (and don't do), so what else could anyone really expect?

    BTW, July 14th is the Patch Tuesday for the month of July, so that date makes sense for some fireworks. I suspect we'll also see another zero day or two on or around June 9th.
    Reply
  • Just another day, and more abusive BS from Microsoft.

    Microsoft has no business anywhere in the consumer space. We need a wall of separation between Microsoft and consumers. They need to be quarantined into the B-to-B realm.

    The only way Microsoft treats you fairly is if you've got a million dollar+ contract with them. And I bet even some businesses also have their tales of abuse and harassment also.

    It's just............ who they are. They can't help themselves.
    Reply
  • add another reason for people to leave windows...they actively fight & ban the ones trying to report vulnerabilities :|
    Reply
  • This is typical Microsoft. Pre Windows Update, we used to open defects with them and they refused to service us unless we installed some service pack.
    We finally turned it back on them and said they would have to describe how the SP fixed our issue because if we installed said SP it broke the OS.
    That broke the process chart they kept throwing at us.
    Reply
Show more comments

Discussion (0)

Sign in to join the discussion. Free account, 30 seconds — email code or GitHub.

Sign in →

No comments yet. Sign in and be the first to say something.

More from Hacker News — AI on Front Page