Our Take
Microsoft patched one 0-day while stonewalling others and offering only workarounds for critical flaws—a pattern that exposes the real friction point: researchers have no leverage until they go public.
Why it matters
When vendors control patch timelines and researchers lack recourse, security disclosure becomes a hostage negotiation. Practitioners stuck waiting for fixes need to know which vulnerabilities stay live and why.
Do this week
Security teams: inventory your Bitlocker deployments and apply Microsoft's manual mitigation for YellowKey before end of week, then track the status page weekly until the underlying cause is patched.
Microsoft patches one 0-day, delays others
Microsoft's June patch Tuesday addressed MiniPlasma (CVE-2020-17103), a vulnerability disclosed by researcher Nightmare Eclipse. The flaw was actually a regression: Microsoft had patched the same issue six years prior, meaning the fix was either incomplete or was accidentally undone in a later release.
The company has not yet released patches for other vulnerabilities disclosed by Nightmare Eclipse. For YellowKey, a vulnerability that defeats Bitlocker full-disk encryption, Microsoft provided only manual mitigation instructions rather than a fix. YellowKey is particularly serious because it allows attackers to circumvent full-disk encryption when they have physical access to a device, which is precisely the threat model Bitlocker is designed to stop.
Other unpatched flaws include a vulnerability in Windows Defender RedSun and BlueHammer, a local privilege escalation flaw that grants SYSTEM rights. On Tuesday, Nightmare Eclipse published exploit code for a race condition targeting Windows Defender.
Tuesday's patch batch covered roughly 200 vulnerabilities in total, with two confirmed as zero-days beyond the ones disclosed by Nightmare Eclipse.
Disclosure disputes expose vendor leverage asymmetry
The timeline of this dispute reveals how little leverage researchers have in responsible disclosure. Over several months, Nightmare Eclipse escalated criticism of Microsoft's vulnerability disclosure program, eventually publishing exploits publicly. Microsoft responded by alleging "irresponsible" disclosure and making veiled legal threats. After public backlash, the company backed down from legal action.
The pattern is telling: Microsoft did not accelerate patches until the researcher went public. MiniPlasma got fixed only after public pressure. YellowKey and others remain unpatched, with Microsoft offering workarounds instead of root fixes.
For practitioners, this matters because it clarifies what responsible disclosure actually protects: vendor schedules, not customer security. When a vendor's patch timeline and the researcher's patience are misaligned, customers inherit the gap.
Bitlocker users need immediate mitigation
If your organization relies on Bitlocker for full-disk encryption on devices that could face physical attack, you cannot wait for Microsoft to ship a fix. Implement the manual mitigation Microsoft provided for YellowKey before treating this as resolved. Monitor the Microsoft Security Update Guide for patch status updates on YellowKey, RedSun, and BlueHammer weekly.
Assume the underlying causes will take weeks or months to ship. Plan your environment accordingly: assume attackers can defeat Bitlocker if they get physical access and layer additional controls (firmware passwords, device lockdown policies, perimeter controls that reduce the likelihood of device theft).
Document which vulnerabilities affect your deployment and cross-reference them against Microsoft's status page. When Microsoft says "manual mitigation available," that is a signal that a permanent fix is not imminent.