Mystery Microsoft Bug Leaker Keeps the Zero-Days Coming (theregister.com) 67
An anonymous researcher known as Nightmare-Eclipse, who has already leaked several Windows zero-days this year, has disclosed two more: YellowKey and GreenPlasma. The Register reports: Nightmare-Eclipse described YellowKey as "one of the most insane discoveries I ever found." They provided the files, which have to be loaded onto a USB drive, and if the attacker completes the key sequence correctly, they are granted unrestricted shell access to a BitLocker-protected machine. When it comes to claims like these, we usually exercise some caution, as this bug requires physical access to a Windows PC. However, seeing that BitLocker acts as Windows' last line of defense for stolen devices, bypassing the technology grants thieves the ability to access encrypted files. Rik Ferguson, VP of security intelligence at Forescout, said: "If [the researcher's claim] holds up, a stolen laptop stops being a hardware problem and becomes a breach notification."
Despite the physical access requirement, Gavin Knapp, cyber threat intelligence principal lead at Bridewell, told The Register that YellowKey remains "a huge security problem for organizations using BitLocker." Citing information shared in cyber threat intelligence circles, he added that YellowKey can be mitigated by implementing a BitLocker PIN and a BIOS password lock. Nightmare-Eclipse hinted at YellowKey also acting as a backdoor, allegedly injected by Microsoft, although the people we spoke to said this was impossible to verify based on the information available. The researcher also published partial exploit code for GreenPlasma, rather than a fully formed proof of concept exploit (PoC).
Ferguson noted attackers need to take the code provided by the researcher and figure out how to weaponize it themselves, which is no small task: in its current state it triggers a UAC consent prompt in default Windows configurations, meaning a silent exploit remains a work in progress. Knapp warned that these kinds of privilege escalation flaws are often used by attackers after they gain an initial foothold in a victim's system. "These elevation of privilege vulnerabilities are often weaponized during post-exploitation to enable threat actors to discover and harvest credentials and data, before moving laterally to other systems, prior to end goals such as data theft and/or ransomware deployment," he said. "Currently, there is no known mitigation for GreenPlasma. It will be important to patch when Microsoft addresses the issue." The other zero-days leaked include RedSun, a Windows Defender privilege escalation flaw; UnDefend, a Windows Defender denial-of-service bug; and BlueHammer, a separate Microsoft vulnerability tracked as CVE-2026-32201 that was patched in April.
According to The Register, RedSun and UnDefend remained unfixed at the time of publication, and proof-of-concept code for the flaws was reportedly picked up quickly and abused in real-world attacks.
Despite the physical access requirement, Gavin Knapp, cyber threat intelligence principal lead at Bridewell, told The Register that YellowKey remains "a huge security problem for organizations using BitLocker." Citing information shared in cyber threat intelligence circles, he added that YellowKey can be mitigated by implementing a BitLocker PIN and a BIOS password lock. Nightmare-Eclipse hinted at YellowKey also acting as a backdoor, allegedly injected by Microsoft, although the people we spoke to said this was impossible to verify based on the information available. The researcher also published partial exploit code for GreenPlasma, rather than a fully formed proof of concept exploit (PoC).
Ferguson noted attackers need to take the code provided by the researcher and figure out how to weaponize it themselves, which is no small task: in its current state it triggers a UAC consent prompt in default Windows configurations, meaning a silent exploit remains a work in progress. Knapp warned that these kinds of privilege escalation flaws are often used by attackers after they gain an initial foothold in a victim's system. "These elevation of privilege vulnerabilities are often weaponized during post-exploitation to enable threat actors to discover and harvest credentials and data, before moving laterally to other systems, prior to end goals such as data theft and/or ransomware deployment," he said. "Currently, there is no known mitigation for GreenPlasma. It will be important to patch when Microsoft addresses the issue." The other zero-days leaked include RedSun, a Windows Defender privilege escalation flaw; UnDefend, a Windows Defender denial-of-service bug; and BlueHammer, a separate Microsoft vulnerability tracked as CVE-2026-32201 that was patched in April.
According to The Register, RedSun and UnDefend remained unfixed at the time of publication, and proof-of-concept code for the flaws was reportedly picked up quickly and abused in real-world attacks.
Running Windows (Score:4, Informative)
...continues to be its own reward.
I don't miss it at all.
Re:Running Windows (Score:4, Informative)
Re: Running Windows (Score:3)
Re: (Score:2)
Re: (Score:2)
You may have missed how quickly those got fixed. Try to keep up.
Re: (Score:2)
Re:Running Windows (Score:4, Insightful)
...continues to be its own reward.
I don't miss it at all.
That's funny, because close to everyone on Slashdot say they don't use Bitlocker and thus aren't affected by this exploit.
Anyway, what should I run instead? Linux? I mean do you want to count which OS has had the highest numbers of security related stories here in the past couple of weeks? You're not going to like the answer.
Defence in depth people. You shouldn't assume your OS is perfectly secure. You shouldn't assume your applications are perfectly secure. You shouldn't assume your supply chain is perfectly secure. Doing any of the above makes you ignorant, regardless of your chosen solution.
Re:Running Windows (Score:4, Interesting)
You're not really comparing like with like. When we talk about vulnerabilities in Windows we're talking about the entire operating system. The bugs that have come up the last few days were in the Linux kernel.
Basically if all those 167 vulns were in KRNL386.EXE (or whatever the Windows kernel is called these days) it'd be comparable in terms of stats.
I don't doubt there are fewer vulnerabilities in, say, Debian than there are in Windows (which is more of a like-for-like comparison) but you undermine the argument by comparing a kernel to a full blown operating system.
Re: (Score:2)
Trolling, how quaint.
Trolling? I called it counting, but english is my second language.
Re: (Score:2)
Anyway, what should I run instead? Linux? I mean do you want to count which OS has had the highest numbers of security related stories here in the past couple of weeks? You're not going to like the answer.
Only if cherry picking the last few weeks is the only way to support your argument. If you look at Windows security vs Linux security historically, your argument would be pathetic.
Defence in depth people. You shouldn't assume your OS is perfectly secure. . .
No one said that. That's a strawman argument at best. No OS is perfectly secure. However what I know is Windows had been historically ridden with exploit after exploit.
Re: (Score:2)
Only if cherry picking the last few weeks
People whose machine get owned don't care if the statistics are cherry picked. The reality is if you want a secure PC, don't turn it on.
Re: (Score:2)
Re: (Score:2)
But they have. People have been owning Windows machines for decades, and Linux machines, and Unix machines, and Macs, and Android, and iOS, etc. etc. etc. The only bias I have here is the one you made up.
I never said Windows was secure. I said Slashdotters who infamously don't use a feature aren't affected by the security bug under discussion.
But your reading comprehension skills will never acknowledge that.
Re: (Score:2)
This may be a boon for people locked out. (Score:3, Interesting)
Re: (Score:2)
happy to help, this kind of forward looking customer support is something that is our top priority, our Top Priority
Re:This may be a boon for people locked out. (Score:5, Insightful)
Bcause your sister couldn't be bothered to write things down, this is MS' fault?
Re: (Score:3, Insightful)
It's his sister's fault she didn't preserve the key.
It's Mickeysoft's fault they locked the computer for no reason. Locking a normal user's desktop computer (i.e. not one with additional security-related group policy) just because they weren't using it is both user-hostile and pathetic. It gives off strong "Notice me senpai" energy.
There are no heroes in this story, but that goes triple for Microsoft's user-hostile defaults.
Re: (Score:2)
I also think there is a lesson here about cryptography on consumer devices.
I really don't think encrypting data at rest, where it isn't absolutely expected like password safe should default on. Key management is hard, the threat model most consumers face simply has them needing (or at least wishing for) offline data recovery a lot more frequently than 'oh shit I left the laptop on the bus' when their reality is the laptop never leaves the house.
Mixing data encryption with identity tools neither of which the
Re: (Score:2)
But when an unlock key stored in a cloud account, recovery is just "sign into your Microsoft account". Not being able to sign into the account or be able to even recovery the account while expecting to be able to get to the data is hardly Microsoft's fault.
And if people want to run with a local account, then it's not unreasonable that they also should take on the extra responsibility like safely storing their offline unlock key in case Bitlocker gets tripped.
Re: (Score:2)
That is my point thought. They don't know they need to do these things. They sign in with a pin or hello for years, forget their password, something happens to the PC and they are foobar..
Their past experience for the last 30 years was everytime they get one to many copies of bonibuddy installed their cousin does something with the hard disks and gets all their pictures, works/office/oo docs, and quicken files off there. This time is 'sorry can't help you'.
Is it Microsoft's fault - no not really, but it
Re: (Score:2)
This ignores account recovery or just even being able to sign into a Microsoft account through an email code by default.
So it's forget local unlock code, forget password, lose access to primary email, and lose access to any alt methods like authenticator/security key/cloud wallet passkey before they are fubar. And at that point, I really don't think local disk encryption is the problem to be talking about.
Re: (Score:2)
LOL have you worked with the average home PC buyer like ever.
They never wrote down the local unlock code.
They forgot their password. - (This is why they called you initially, or the malware duped them into changing it)
They have no access to their e-mail, someone showed them howto connect Outlook 3 years ago and it has just worked ever since, no they can't even begin to guess at the password, even now their life depends on it.
They have no clue what a passkey or cloud wallet is, they only knew they never need
Re:This may be a boon for people locked out. (Score:5, Interesting)
It's Mickeysoft's fault they locked the computer for no reason.
No it's your fault for believing this insanely stupid story. Enabling bitlocker is a process with quite a few steps. At no point does it either enable itself - there's no mechanism for it to do so, and even if that process was started (even admins can't remotely enable bitlocker unless the machine is tied to a domain account) there would be many dialogues to click through before the encryption process is even started.
Things we don't know for certain:
a) Did laxr5rs' sister lie to him to save face?
b) Did laxr5rs lie to us
Things we do know for certain:
You're super gullible for ragebait.
Re: (Score:2)
At no point does it either enable itself - there's no mechanism for it to do so
You buy a computer with Windows 10/11 Home.
You sign in with a Microsoft account.
Microsoft backs up your encryption key and starts encrypting the drive. Yes, they call it "device encryption" and not Bitlocker, but that's only semantics because they had already branded Bitlocker as a Pro feature.
Re: (Score:3)
Yes it does. It presents you multiple dialogue boxes when doing so and explains the importance of your key. It also critically doesn't let you bypass the dialogue by hitting the X button like an impatient idiot meaning you will be making a conscious decision to sync your key, to print your key, or to copy it to a USB stick (the three options presented to the user in your scenario).
Additionally if this were the scenario the OP was describing then a) it wouldn't have happened silently, again there's dialogues
Re:This may be a boon for people locked out. (Score:4, Insightful)
It's Mickeysoft's fault they locked the computer for no reason.
No it's your fault for believing this insanely stupid story. Enabling bitlocker is a process with quite a few steps.
Tell me you haven't bought a Windows PC in a while without telling me.
They ALL encrypt the drives by default or any user intervention. For home users, I *disable* it as part of the initial out-of-box setup, because Bitlocker is enabled by default and the key is uploaded to the Microsoft Account users are forced to use/create when doing the initial machine setup.
Now, the REAL fun is that Microsoft, in their infinite wisdom, decided that BIOS firmware updates are worth sending to users via Windows Update. Well, when those BIOS updates happen, they can sometimes trip the TPM in a way that requires the BitLocker key to be input in order to unlock the system. While MS will display the key's ID, it doesn't show the MS account it's tied to, so if a user forgot which e-mail address they happened to give during setup, or no longer have access to that account, the user loses access to their data because of a BIOS update that was probably either optional, or legitimately fixed a security vulnerability that required the laptop to be physically accessed in order to perform. 9 out of 10 laptop owners would absolutely prefer "a thief could potentially access my data if my laptop is stolen" over "i could lose my data if MS and HP decide to send an update"...keeping in mind users cannot opt out of updates, even to the extent of "update Windows, don't touch my BIOS".
So yeah, the story is legit; I have personally had to give people the bad news on this topic on more than one occasion, Pepperidge Farm remembers when BitLocker was a function Microsoft only included with Windows 7 Ultimate, but now it's enabled by default for home users with no meaningful awareness or consent given to do it.
Apparently, it's not ransomware when Microsoft does it.
Re: (Score:2)
No they don't. They encrypt them in the background after explicitly telling you and flashing up a dialogue box which you can't avoid which gives you the option to sync your key (or not), or print the key, or save the key to the USB stick. Literally 1 of 3, you can't not select an option, and it's a full screen dialogue so you can't provision your computer without acknowledging that the encryption is happening.
Additionally if the OP's case were a new computer than they wouldn't have gotten that far since app
Re: This may be a boon for people locked out. (Score:2)
Why donâ(TM)t Microsoft do what Apple offers? In their case, if you donâ(TM)t remember the password to your Mac or have a copy of the FileVault key, you can recover it through your iCloud account. At one time, it was optional to store online; I donâ(TM)t know if thatâ(TM)s still the case. I know this because recently I somehow mistyped my password the same way twice when I changed it and had to go through the fairly simple recovery process, even though I only use local accounts. So I
Re: (Score:2)
she didn't know her microsoft account
Microsoft does that same thing, there's an offline key and a key stored in the cloud accessed through a Microsoft account.
Hardly Microsoft's fault that she didn't write down the offline key and couldn't remember her password.
Re: (Score:2)
Microsoft does store the key to your Microsoft account for non-managed computers. What it doesn't do is tell you the email address you used to create that account on the recovery screen.
At least for Macs, most Mac users have an iPhone that is signed into the same iCloud account and is also a trusted device that can be used to reset the password for that account.
Re: (Score:2)
I've found a small percentage, maybe 5%, of the hundreds of devices I've had to pull up Bitlocker keys for are glitched. Microsoft's site will list the device, but when you click the button to display the key, you only get an empty box.
I'm not sure whether to blame Microsoft or my employer, but I'm guessing Microsoft manages all the backend for their own web site, and we have no more on-prem Windows servers, it's all in the MS cloud.
I have a personal policy now of always keeping a paper copy of the key, bec
Re: (Score:2)
Bitlocker doesn't trigger from lack of use though. It's basically just when hardware signature changes are detected.
And it's wild to blame Microsoft if they didn't write down their offline key, can't remember their Microsoft account password, or be able to do any of the things required to recover their Microsoft account.
Re: (Score:2)
Bitlocker doesn't trigger from lack of use though. It's basically just when hardware signature changes are detected.
In fairness though, sometimes that signature can change for stupid reasons. I had no end of problems with a KVM switch which triggered this issue. Take my work laptop home and plug it into the KVM, Bitlocker triggers. Enter the unlock key, system boots. Take the laptop to work, no KVM present, Bitlocker triggers. Enter the unlock key, system boots. There was no storage/etc plugged into that KVM, so nothing that could conceivably mess with the secure boot process, and yet there it was. Turns out this
Re:This may be a boon for people locked out. (Score:4, Interesting)
I resd a story about someone with Bitcoin keys on a laptop which they lost access to.
It was put on a shelf waiting for an exploit like this.
Re: (Score:2)
she left her machine off for a while and it, for whatever reason bitlocked itself
She's either lying to you or you are lying to us.
Mystery MS Bug Leaker secret origin (Score:4, Funny)
All because you parked in his handicap spot.
Re: (Score:3, Informative)
Steve Jobs say's hi
BitLocker isn't the only one, of course (Score:3)
VeraCrypt is a particularly strong full-disk encryption, although you don't hear much of companies using it. However, BitLocker security issues keep getting mentioned and it looks like VeraCrypt fixed a number of theirs. However, code quality seems to be listed as unclear on some sites. Not sure how true that actually is though.
BestCrypt is another, but I'm not happy they permit fragile encryption schemes, as those could potentially be used by the software as standard for something important. Being commercial software, that wouldn't be easy to check.
BitLocker seems to be a typical Microsoft failure in terms of what it does, used only because it's Microsoft and that gives CTOs and CFOs someone to blame.
Re: (Score:2)
BitLocker seems to be a typical Microsoft failure in terms of what it does, used only because it's Microsoft and that gives CTOs and CFOs someone to blame.
Bitlocker does the absolute legal bare minimum.
If it were very secure, idiot CTOs and CFOs would be getting fired weekly for losing/forgetting their decryption pass phrases and subsequently permanently losing company data. Which they would never agree to.
Re: (Score:2)
*glances at Enron
Actually, that sounds truly brilliant. Let's raise the legal requirements so that happens...
Patch or withdraw from the market (Score:5, Interesting)
The EU Cyber Resilience Act (CRA) (fully applicable from January 16, 2027 onwards) mandates that manufacturers of products with digital elements (like Windows) must patch or mitigate disclosed vulnerabilities without undue delay (Article 10). For critical vulnerabilities, patches must be provided within 14 days of discovery (or sooner if actively exploited). For non-critical vulnerabilities, the deadline is 30 days.
Under the (CRA), should Microsoft fail to address a disclosed zero day vulnerability in Windows within the mandated timeframe or neglect to provide adequate mitigation measures, the product may no longer be permitted for distribution within the European market. Authorities would deem such inaction a breach of the regulation’s requirements, particularly if the vulnerability remains unpatched while being actively exploited. In such an instance, enforcement bodies could impose a suspension on the sale or distribution of Windows until Microsoft rectifies the issue, issues the necessary patches, and ensures compliance with the Act’s provisions. This measure serves to protect users from undue risk and uphold the integrity of digital products under the new regulatory framework.
Re: (Score:2, Insightful)
adequate mitigation measures - Use a bitlocker PIN.
DONE... Unless of punishing Microsoft is a useful trade negotiating tactic this week.
Things like the CRA are vague and their only real use is as a cudgel for regulators to threaten anyone they don't like with. The result is politically capricious uneven enforcement. Note this isn't a EU problem specifically the USA has so much of this same frightening freedom destroying BS law on the books, I am not casting a stone here, but exactly nobody who cares about
Re: (Score:2)
Stuff like this is actually a big deal in governments. They use *a lot* of Windows laptops, locked down to tight to handle classified material. Full Disk Encryption is a requirement because that way, if the laptop gets stolen, the thief can't get to cached copies or even actual copies of classified data from the hard disk.
If you can (quite easily) get to the data on the disk, then the data security of the device is lost, which means you can no longer work on classified material. That's pretty much the end o
Re: (Score:2)
The problem is low level bugs have a tendency to have their tendrils in far more places than it appears.
Fixing a bug in 14 days? That may be reasonable if it's an application like Microsoft Word, but even then it likely isn't enough to be realistic. Even Google's 30 days was unrealistic.
The problem comes down to how central the component is - there are things where you need to do full regression testing because it's such a critical component that any change could break something.
If you demand a fix in 14 da
Bill? (Score:2)
Is that you?
Re: (Score:2)
Bill's not really [yahoo.com] an ex-anything.
BlueHammer ot a zero day (Score:3)
By definition, if a patch is available it is not a zero day.
Re: (Score:1)
"The other zero-days leaked include .... BlueHammer, a separate Microsoft vulnerability tracked as CVE-2026-32201 that was patched in April."
By definition, if a patch is available it is not a zero day.
For clarity, the BlueHammer exploit was released on the 3rd of April and the patch was issued on the 14th of April. By definition, if it's not patched at the time of release, it's a zero day [wikipedia.org].
Re: (Score:2)
if it's not patched at the time of release, it's a zero day [wikipedia.org].
You didn't read your own link. When Microsoft (or the users in general) finds out about the vulnerability, that is day 1. Before that is day zero.
If Microsoft found out about the exploit on the third of April, then that was day one.
Then day two was April 4th.
Day three was April 5th.
Etc. you should be able to do this kind of math.
Re: (Score:3)
patch was available after the disclosure from all accounts
Surprised that automatic unlock is a risk? (Score:3)
Re: (Score:2)
The TPM is supposed to rely on a hardware signature match before unlocking. Booting from alternate media would fail that test and the TPM won't hand over the keys. And in fact, YellowKey does require you to boot from the internal drive into the recovery environment. Apparently the recovery environment unlocks the drive and relocks it.
Looking further, it uses some kind of pending file change tool in the System Volume Information folder to put a file on (I think) the mounted recovery system while the drive
Watched an Adam Savage video recently (Score:3)
This Bitlocker exploit, coupled with a disguise as a keyboard, seems to me would bypass the pin requirement if the computer was booted.
Re: (Score:3)
what it does as a key stroke injector is open powershell then executes a bunch of commands, and exits quickly. :) One of the companies I worked for did this. They also physically blocked the USB ports on all of our laptops with difficult to remove inserts
One solution for this is... disable command prompt and powershell for non-admin users