Microsoft fixes 0-day disclosed by researcher amid rivalry

Tuesday’s patch bundle included a fix for MiniPlasma, a vulnerability Microsoft says is tracked as CVE-2020-17103 and was first fixed six years ago — indicating MiniPlasma was the result of a regression or an incomplete patch. The company is updating Tuesday’s bulletin to note the republication.

The same batch included fixes for roughly 200 vulnerabilities, and two of them were confirmed as zero-days. Microsoft has yet to release patches for other vulnerabilities disclosed by Nightmare Eclipse. The company did provide manual instructions for mitigating YellowKey, a flaw that allows attackers to defeat Bitlocker full-disk encryption — a potential boon when attackers have physical access to a device — but it has not fixed the underlying cause.

The status of additional disclosures remains unclear. The researcher named a vulnerability present in Windows Defender called RedSun, and another, BlueHammer, is a local privilege escalation flaw that provides SYSTEM rights.

microsoft, miniplasma, cve-2020-17103, patch bundle, zero-day, nightmare eclipse, yellowkey, bitlocker, redsun, bluehammer