{"id":8441,"date":"2026-06-10T12:01:58","date_gmt":"2026-06-10T12:01:58","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8441"},"modified":"2026-06-10T12:01:58","modified_gmt":"2026-06-10T12:01:58","slug":"microsoft-feud-escalates-as-researcher-drops-new-windows-zero-day","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8441","title":{"rendered":"Microsoft feud escalates as researcher drops new Windows zero-day"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The long-running feud between Microsoft and security researcher Nightmare Eclipse has entered a new chapter.<\/p>\n

Eclipse, who has spent the past several months publicly releasing unpatched Windows vulnerabilities while sparring with Microsoft over vulnerability disclosure practices, has published exploit code for a new zero-day flaw dubbed RoguePlanet.<\/p>\n

The researcher said their exploit uses a race condition problem affecting Microsoft Defender, giving attackers less than a hundred percent odds at success, which can potentially allow SYSTEM-level privilege on even freshly updated Windows.<\/p>\n

As before<\/a>, the exploit arrives just after Microsoft issued its June 2026<\/a> Tuesday patches, where the company issued fixes for over 200 security flaws, including 32 critical ones. \u201cThe timing is a giveaway, MiniPlasma was released on May 13, 2026\u2014exactly one day after Microsoft\u2019s May Patch Tuesday cycle, ensuring defenders have no official vendor patch for weeks,\u201d Agnidipta Sarkar, chief evangelist at ColorTokens, had said about Eclipse\u2019s previous \u201cMiniPlasma\u201d disclosure<\/a>.<\/p>\n

The exploit was dropped in a new GitHub repository, \u201cMSNightmare,\u201d surely a pointed reference to Microsoft, after GitHub (owned by Microsoft) removed Eclipse\u2019s original repositories recently. Several earlier Eclipse disclosures were reportedly incorporated into real-world attacks<\/a> shortly after exploit code became available, prompting warnings from Microsoft and multiple security vendors.<\/p>\n

The bug allows code execution through SYSTEM access<\/h2>\n

In a June 9 blog post<\/a> titled \u201cRoguePlanet, a quick history,\u201d Eclipse wrote of an initial iteration of the Windows Defender bug. While technical details remain scarce, the blog did mention that it has to do with getting a victim to open a \u201c.vhd(x) on a remote SMB server.\u201d<\/p>\n

Doing that, the writeup explained, would result in \u201cDefender overwriting its own files and obviously the end outcome was an RCE.\u201d A rough interpretation of the description is that the bug allows executing malicious metadata from a specially crafted virtual hard disk (.vhd) image stored on a remote Server Message Block (SMB) server.<\/p>\n

Eclipse\u2019s PoC<\/a> exploit ultimately spawns a SYSTEM shell, allowing arbitrary code to be executed by a potential attacker.<\/p>\n

A mid-May patch to Defender reportedly sealed the initial attack path detailed by Eclipse, making \u201cjunction attacks useless,\u201d which had them re-write RoguePlanet to work around the fix. The current version of the exploit allegedly works against Windows 11 (official channel + Canary) and Windows 10 with the June 2026 patch installed.<\/p>\n

The PoC code, however, gave out against Windows Server installations since standard users \u201cCannot mount an ISO image\u201d. While Eclipse was \u201ctoo drained\u201d to redesign an exploit for this exception, they are certain an exploit is possible.<\/p>\n

The feud behind the flaws<\/h2>\n

Microsoft recently removed<\/a> Eclipse\u2019s GitHub accounts and also disabled their Microsoft Security Response Center (MSRC) access. Following the ban, GitLab also suspended<\/a> the researcher\u2019s secondary mirrors.<\/p>\n

In a May 27 blog post<\/a>, Microsoft criticized the lack of coordinated vulnerability disclosure and threatened legal action, stating that the public disclosures aided attackers and involved a digital crimes unit coordinating with law enforcement.<\/p>\n

\u201cThe vulnerabilities known as RedSun<\/a>, UnDefend<\/a>, BlueHammer<\/a>, YellowKey<\/a>, GreenPlasma, and MiniPlasma were not responsibly disclosed,\u201d the company wrote on Eclipse-disclosed bugs. \u201cUncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences.\u201d<\/p>\n

Cybersecurity analyst Kevin Beamount called<\/a> Microsoft\u2019s response a \u201cdumpster fire of their own making.\u201d Writing of a previous researcher going by the name \u201cSandboxEscaper,\u201d who similarly disclosed Microsoft bugs and published exploit codes, Beaumont pointed to Microsoft\u2019s precedent for hiring such researchers in 2019.<\/p>\n

\u201cI\u2019m making the point that Microsoft has very publicly hired somebody for doing the same thing Microsoft\u2019s latest blog alleges is criminal behaviour,\u201d Beaumont said.<\/p>\n

Microsoft did not immediately respond to CSO\u2019s request for a comment.<\/p>\n

Eclipse announced its return on GitHub on June 9. \u201cYes, it\u2019s GitHub again, Microsoft forgot that even if they banned my GitLab and GitHub accounts, they cannot unwrite my code. Once it\u2019s public, you can\u2019t remove it.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The long-running feud between Microsoft and security researcher Nightmare Eclipse has entered a new chapter. Eclipse, who has spent the past several months publicly releasing unpatched Windows vulnerabilities while sparring with Microsoft over vulnerability disclosure practices, has published exploit code for a new zero-day flaw dubbed RoguePlanet. The researcher said their exploit uses a race […]<\/p>\n","protected":false},"author":0,"featured_media":8442,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8441","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8441"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8441"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8441\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8442"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}