Angry Researcher Drops Two Windows Zero-Day Exploits, Citing Frustration with Microsoft's MSRC

Executive Summary

A security researcher, using the alias Chaotic Eclipse, has publicly released proof-of-concept (PoC) code for two previously unknown, or zero-day, vulnerabilities in Microsoft Windows. The exploits, dubbed YellowKey and GreenPlasma, were dropped on social media following a public dispute with the Microsoft Security Response Center (MSRC). This act of non-coordinated disclosure places all Windows users at immediate risk, as there are no official patches available. Reports indicate that other threat actors have already begun incorporating the exploits into active attack campaigns. The incident highlights the volatile nature of vulnerability disclosure and the significant danger posed when the process breaks down.

Vulnerability Details

Details are emerging, but the disclosed vulnerabilities are described as:

• YellowKey: A Windows BitLocker encryption bypass vulnerability. This type of flaw could potentially allow an attacker with physical or privileged access to a machine to bypass BitLocker drive encryption and access the data on the disk. This poses a significant threat to data confidentiality on stolen or lost devices.
• GreenPlasma: An elevation of privilege (EoP) vulnerability in the Windows CTFMON process. The flaw is related to how Windows handles path trust and arbitrary section creation. A local attacker could exploit this to execute code with higher privileges, likely SYSTEM, allowing them to take full control of a compromised machine.

Exploitation Status

CRITICAL: These vulnerabilities are reportedly being actively exploited in the wild.

The researcher's public release of working PoC code has enabled other malicious actors to weaponize the exploits rapidly. Reports suggest that active attacks leveraging YellowKey and GreenPlasma began within 24 hours of the disclosure. This is a classic zero-day scenario where defenders have no patch and must rely on mitigations and detection.

Threat Actor Profile

The researcher, Chaotic Eclipse (also known as Nightmare Eclipse), has a history of similar disclosures, including a previous zero-day named "BlueHammer." Their stated motivation is frustration with MSRC's handling of their vulnerability submissions. While their actions may stem from a desire to force a response from Microsoft, the result is a dangerous situation for the entire Windows user base. This behavior blurs the line between security research and malicious activity.

Impact Assessment

• Immediate Risk of Compromise: With public exploits and active attacks, any unpatched Windows system is potentially vulnerable. The GreenPlasma EoP flaw is particularly dangerous as it can be chained with other, less severe vulnerabilities (like a simple remote code execution bug in a browser) to achieve full system compromise.
• Data Confidentiality at Risk: The YellowKey BitLocker bypass, if effective, undermines a cornerstone of Windows data protection. It could allow attackers to access sensitive data on encrypted drives, nullifying a critical security control for mobile workforces and high-security environments.
• Erosion of Coordinated Disclosure: This incident damages the trust-based system of coordinated vulnerability disclosure (CVD), where researchers work with vendors to fix flaws before they are made public. It may encourage other researchers to follow a similar path, leading to a more chaotic and dangerous security environment.

IOCs — Directly from Articles

No specific Indicators of Compromise (IPs, domains, hashes) were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams should immediately begin hunting for signs of exploitation:

Detection & Response

Since no patch is available, detection and mitigation are key.

• Endpoint Detection and Response (EDR): EDR solutions with strong behavioral detection capabilities are the best defense. Configure EDR to alert on suspicious process chains originating from ctfmon.exe and on any process attempting to tamper with BitLocker or access raw disk contents.
• Threat Hunting: Proactively hunt for the observables listed above. Search for any signs of privilege escalation attempts that do not follow known patterns.
• Isolate Suspicious Systems: If a system is suspected of being compromised using these exploits, it should be immediately isolated from the network to prevent lateral movement.

Mitigation

As there are no patches, only temporary compensating controls are available:

• Application Control: Use application control solutions (like AppLocker or Windows Defender Application Control) to restrict the execution of unauthorized code. This can prevent an attacker from running their payload even if they successfully exploit the GreenPlasma EoP.
• Limit Local Admin Rights: Enforce the principle of least privilege. The GreenPlasma exploit requires an attacker to first have local access. By limiting user privileges, you reduce the number of accounts that could potentially trigger the exploit.
• Physical Security: For the YellowKey BitLocker bypass, reinforcing physical security for laptops and other devices is crucial. An attacker needs access to the device to exploit this flaw.
• Monitor Vendor Communications: Closely monitor all communications from Microsoft for an out-of-band patch or official mitigation guidance.