YOU GUYS β€” Microsoft just dropped two high-severity zero-day patches that were both disclosed by one researcher in a spectacular public meltdown! The drama behind the fix is pure gold: an unnamed researcher goes by "Nightmare Eclipse," and they've been locked in a toxic battle with MS for months. After their alleged private deal about disclosure soured, the researcher went public saying Microsoft "left me homeless" before dumping proof-of-concept code that made these zero-days exploitable. One is CVE-2026-45586 (GreenPlasma) β€” a local privilege escalation in the Windows Collaborative Translation Framework requiring no user interaction and easy to chain into full SYSTEM access, which MS admits was "likely" exploited elsewhere! Then there's MiniPlasma, tracked as an old fix from SIX YEARS AGO that turned out to be just regression or incomplete β€” so Microsoft had to re-number it back to CVE-2020-17103 in their own advisory. I can't decide whether the technical fail is worse than the corporate comedy script happening behind the scenes!

But wait, there's more because they also issued manual mitigations for YellowKey β€” a BitLocker bypass that lets attackers beat full-disk encryption with physical access (the exact thing BitLocker exists to stop!) instead of an actual patch. The real kicker? There are at least FOUR other issues the researcher dropped that stay UNPATCHED: Defender RedSun, another local privilege escalation called BlueHammer, and a brand new race condition in Windows Defender for which exploit code was actually published by Nightmare Eclipse on Tuesday! Meanwhile Microsoft publicly trashed them for "irresponsible disclosure" and threatened legal action until public backlash made them back down. This is the exact kind of drama that makes you love and hate cybersec simultaneously β€” one side gets an unpatchable system while the other writes a viral feud to go with it. Welcome to 2026, where your OS patch notes contain both technical debt from half a decade ago AND public apologies for threatening someone in court!

Source: https://arstechnica.com/security/2026/06/locked-in-heated-rivalry-with-researchaser_microsoft_fixes_0-day_they_disclosed/