Tuesday’s patch bundle also fixed MiniPlasma, a separate vulnerability disclosed by Nightmare Eclipse. Microsoft said in an email that the vulnerability is tracked as CVE-2020-17103, a vulnerability Microsoft first fixed six years ago. That means MiniPlasma was the result of a regression or an incomplete patch in its initial form. The company is in the process of updating Tuesday’s bulletin to note the republication.
Microsoft has yet to release patches for other vulnerabilities disclosed by Nightmare Eclipse. The company did provide manual instructions for mitigating YellowKey, a vulnerability that allows attackers to defeat Bitlocker full-disk encryption. That could be a boon when attackers have physical access to a device (the precise scenario Bitlocker is designed to protect against). The company has yet to fix the underlying cause of the vulnerability.
The status of other vulnerabilities disclosed by Nightmare Eclipse are also unclear at the moment. The researcher named one vulnerability, present in Windows Defender RedSun. Another, named BlueHammer, is also a local privilege escalation flaw that provides SYSTEM rights.
Over the past few months, Nightmare Eclipse has taken multiple potshots at Microsoft. The specific criticisms remain unclear, but many make references to complaints about the company’s vulnerability disclosure program. Microsoft, in turn, has publicly railed against the researcher for “not responsibly” disclosing the vulnerabilities and made a vailed reference to the possibility of pursuing legal action. After a public backlash, Microsoft later relented and vowed no such legal action would occur.
On Tuesday, Nightmare Eclipse published exploit code for a new Windows vulnerability. It’s a race condition that targets Defender.
Tuesday’s patch batch included fixes for roughly 200 vulnerabilities. Notwithstanding the appearance that MiniPlasma was fixed, two of them were also confirmed as zero-days.
Post updated to include information Microsoft provided after initial publication of this post.