Usually, when I report zero-day exploits, it's because attacks by threat actors are already underway or a vendor has released a patch after becoming aware of the vulnerability. BlueHammer, however, is different. This time, it's a security researcher who has released the Windows attack exploit code; there is no patch available, and the researcher is laying the blame firmly at the door of the Microsoft Security Response Center. Here's what we know and what Microsoft has said about the security alert that a billion Windows users are waking up to.
The Extraordinary BlueHammer Microsoft Windows Zero-Day Exploit Story
In more than 35 years of writing about cybersecurity issues, I cannot recall a time when a security researcher has released zero-day exploit code in the way that BlueHammer has been dropped. I mean, zero-days are not, in and of themselves, unusual. Within just the space of the last week, I have reported on a new Fortinet exploit being used by attackers, and a zero-day attack alert impacting 3.5 billion Google Chrome users. But the Windows BlueHammer zero-day is different, very different indeed.
A security researcher posting under the name of Chaotic Eclipse stated: "I was not bluffing Microsoft, and I'm doing it again. Unlike previous times, I'm not explaining how this works; y'all geniuses can figure it out. Also, huge thanks to MSRC leadership for making this possible!!!" That posting contained a link to a GitHub repository containing the BlueHammer exploit code for a zero-day Windows vulnerability.
The vulnerability, which has no official Common Vulnerabilities and Exposures recognition at this point, enables a successful attacker to gain SYSTEM privileges by way of a local privilege escalation exploit. It would appear that the exploit does, indeed, work according to one notable security expert, but Chaotic Eclipse has stated that the proof of concept code does have some bugs. It should also be noted that exploitation is far from straightforward as it requires a local attacker, but if successful, they get access to the Security Account Manager so it should not be discounted as just an angry hacker letting off steam.
It is unknown at this time what the actual beef is between the hacker and the MSRC, or if a patch for Microsoft Windows users will be forthcoming. Microsoft has issued the following statement: "Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible. We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."