Tuesday’s patch pack was also fixed Mini PlasmaA separate loophole revealed by Nightmare Eclipse. Microsoft said in an email that the vulnerability was tracked as CVE-2020-17103, a vulnerability Microsoft first patched six years ago. This means that MiniPlasma in its original form is the result of a regression or an incomplete patch. The company is in the process of updating its bulletin on Tuesday to celebrate the Republic.
Microsoft has not yet released patches for the other vulnerabilities disclosed by Nightmare Eclipse. The company did provide manual instructions To mitigate YellowKey, a vulnerability that allows attackers to defeat Bitlocker full disk encryption. This can be a boon when attackers have physical access to a device (the exact scenario Bitlocker is designed to protect against). The company has not yet addressed the root cause of the vulnerability.
The status of other vulnerabilities disclosed by Nightmare Eclipse is also currently unclear. The researcher named one of the existing vulnerabilities in Windows Defender Red Sun. Another one called BlueHammer is a local privilege elevation flaw that grants SYSTEM rights.
Over the past few months, Nightmare Eclipse has taken several potshots at Microsoft. Specific criticisms remain unclear, but many cite complaints about the company’s vulnerability disclosure program. Microsoft in turn treated the public accused the researcher of “irresponsibly” disclosing the vulnerabilities and denied any possibility of legal action. After a public backlash, Microsoft later relented and promised no such legal action would be taken.
Tuesday, Nightmare Eclipse has been published exploit code for a new Windows vulnerability. This is a race condition targeting the Defender.
Tuesday’s patch roll includes fixes for about 200 vulnerabilities. Despite the appearance that MiniPlasma was fixed, two of them were also confirmed as zero-day.
The post has been updated to include information provided by Microsoft since this article was originally published.
