Microsoft Threatens Security Researcher with Criminal Prosecution
Photo: TechCrunch
Quick answer
Microsoft угрожает уголовным преследованием исследователю безопасности Nightmare Eclipse за публикацию неисправленных уязвимостей в Defender и BitLocker.
An independent security researcher, known by the pseudonym Nightmare Eclipse, published details of several critical vulnerabilities in Microsoft products, including the built-in antivirus Defender and the disk encryption tool BitLocker. Among the discovered issues were exploits like BlueHammer, RedSun, UnDefend, and YellowKey, which allowed bypassing system protections.
The company responded with sharp criticism, accusing the researcher of violating "responsible disclosure" principles and creating risks for users. In an official blog post, Microsoft claimed that some vulnerabilities had already been exploited by malicious actors in real-world attacks, and that publishing exploits before patches were released could have facilitated this. The corporation also mentioned the possibility of involving its Digital Crimes Unit and law enforcement to pursue such cases.
Nightmare Eclipse, in turn, stated that they had attempted to engage with Microsoft through the Microsoft Security Response Center portal but faced improper treatment, including access being blocked. The researcher emphasized that they were forced to disclose the data after the vendor ignored their attempts to establish dialogue. The publication of exploit code on platforms like GitHub and GitLab led to the researcher's accounts being blocked.
The incident sparked a strong reaction in the cybersecurity community. Experts, including former Microsoft employees, accused the company of excessive aggression and attempting to intimidate researchers. Katie Moussouris, founder of Luta Security and a pioneer of Microsoft's bug bounty program, called the threats of criminal prosecution "overreach," warning that it would undermine trust in the vendor and reduce vulnerability reports.
The dispute has once again raised the question of balancing interests: Should researchers wait for vendors to issue fixes, risking user security, or are vendors obligated to respond promptly to vulnerability reports without shifting responsibility onto experts?
Common questions
- Какие уязвимости обнаружил Nightmare Eclipse в продуктах Microsoft?
- Исследователь выявил критические уязвимости, включая эксплойты BlueHammer, RedSun, UnDefend и YellowKey, которые позволяли обходить защиту систем в Defender и BitLocker.
- Почему Microsoft обвинила Nightmare Eclipse в нарушении этики раскрытия уязвимостей?
- Корпорация утверждает, что публикация эксплойтов до выпуска патчей создала угрозу для пользователей и нарушила принципы «ответственного раскрытия», так как часть уязвимостей уже использовалась злоумышленниками.
- Как Nightmare Eclipse ответил на обвинения Microsoft?
- Исследователь заявил, что пытался взаимодействовать с Microsoft через MSRC, но столкнулся с блокировкой доступа. Он обвинил вендора в игнорировании его попыток наладить диалог и был вынужден обнародовать данные.
- Какую реакцию вызвал инцидент в профессиональном сообществе?
- Эксперты, включая бывших сотрудников Microsoft, обвинили компанию в чрезмерной агрессии и попытке запугать исследователей. Основатель Luta Security Кэти Муссорис назвала угрозы уголовного преследования «перебором».
Dzen feed: /feed/dzen.xml · RSS: /feed.xml