‘Exactly the same issue reported to Microsoft by Google Project Zero is actually still present, unfixed’: Chaotic Eclipse strikes again with another troubling Windows security flaw

Chaotic Eclipse researcher reveals new Windows 11 zero-day affecting Cloud Filter driver
MiniPlasma, originally tracked as CVE-2020-17103, was reported years ago but is still exploitable despite previous patching attempts
It’s the sixth vulnerability leaked by the researcher, highlighting ongoing disagreements with Microsoft’s handling of bug reports

Threat actors were able to escalate privileges and gain SYSTEM access on a fully patched Windows 11 device thanks to an unpatched vulnerability that should have been patched years ago, new reports have claimed.

A researcher with the alias Chaotic Eclipse recently disclosed a Proof-of-Concept (PoC) exploit for a zero-day vulnerability that they called “MiniPlasma”. In a new GitHub post, the researcher said the bug affects the ‘cldflt.sys’ Cloud Filter driver and its ‘HsmOsBlockPlaceholderAccess’ routine.

They said Google’s Project Zero reported the issue to Microsoft back in December 2020, which even patched it at some point in the interim. However, for unknown reasons, the vulnerability can now be exploited. They speculate that the patch was either poorly done or rolled back.

Chaotic eclipse

“After looking into it, it turns out that the exact same problem that was reported to Microsoft by Google Project Zero is actually still present, unfixed,” Chaotic Eclipse said. “I’m unsure if Microsoft just never fixed the issue or if the patch was quietly rolled back at some point for unknown reasons. The original PoC from Google worked without any changes.”

The vulnerability, tracked as CVE-2020-17103, was tested by researchers on Bleeping Computeras well as by independent researcher Will Dormann of Tharros, and both have confirmed that it works. Dormann emphasized that the bug does not work in the latest Windows 11 Insider Preview Canary build.

For several weeks, Chaotic Eclipse has been steadily exposing various vulnerabilities affecting fully patched Windows 11 machines. Apparently they are unhappy with how Microsoft handles bug reports. So far, they have leaked five vulnerabilities, called RedSun, UnDefend, BlueHammer, YellowKey and GreenPlasma. RedSun was reportedly patched up quietly in the meantime.

With MiniPlasma, the total is now six, and it’s safe to assume there will be more.

“Normally I would go through the process of begging them to fix a mistake, but to summarize, I was personally told by them that they will ruin my life and they did, and I’m not sure if I was the only one who had this terrible experience or few people did, but I think most people just wanted to eat it and cut their losses, but for me they took everything away,” the researcher said.

“They washed the floor with me and pulled all the childish tricks they could. It was so bad at one point I wondered if I was dealing with a large corporation or someone just having fun watching me suffer, but it seems to be a collective decision.”