Mystery Microsoft Bug Leaker Keeps the Zero-Days Coming (theregister.com)
- Reference: 0183213537
- News link: https://tech.slashdot.org/story/26/05/14/0554201/mystery-microsoft-bug-leaker-keeps-the-zero-days-coming
- Source link: https://www.theregister.com/security/2026/05/13/disgruntled-researcher-releases-two-more-microsoft-zero-days/5239758
> Nightmare-Eclipse described YellowKey as "one of the most insane discoveries I ever found." They provided the files, which have to be loaded onto a USB drive, and if the attacker completes the key sequence correctly, they are granted unrestricted shell access to a BitLocker-protected machine. When it comes to claims like these, we usually exercise some caution, as this bug requires physical access to a Windows PC. However, seeing that BitLocker acts as Windows' last line of defense for stolen devices, bypassing the technology grants thieves the ability to access encrypted files. Rik Ferguson, VP of security intelligence at Forescout, said: "If [the researcher's claim] holds up, a stolen laptop stops being a hardware problem and becomes a breach notification."
>
> Despite the physical access requirement, Gavin Knapp, cyber threat intelligence principal lead at Bridewell, told The Register that YellowKey remains "a huge security problem for organizations using BitLocker." Citing information shared in cyber threat intelligence circles, he added that YellowKey can be mitigated by implementing a BitLocker PIN and a BIOS password lock. Nightmare-Eclipse hinted at YellowKey also acting as a backdoor, allegedly injected by Microsoft, although the people we spoke to said this was impossible to verify based on the information available. The researcher also published partial exploit code for GreenPlasma, rather than a fully formed proof of concept exploit (PoC).
>
> Ferguson noted attackers need to take the code provided by the researcher and figure out how to weaponize it themselves, which is no small task: in its current state it triggers a UAC consent prompt in default Windows configurations, meaning a silent exploit remains a work in progress. Knapp warned that these kinds of privilege escalation flaws are often used by attackers after they gain an initial foothold in a victim's system. "These elevation of privilege vulnerabilities are often weaponized during post-exploitation to enable threat actors to discover and harvest credentials and data, before moving laterally to other systems, prior to end goals such as data theft and/or ransomware deployment," he said. "Currently, there is no known mitigation for GreenPlasma. It will be important to patch when Microsoft addresses the issue."
The other zero-days leaked include [4]RedSun , a Windows Defender privilege escalation flaw; [5]UnDefend , a Windows Defender denial-of-service bug; and [6]BlueHammer , a separate Microsoft vulnerability tracked as CVE-2026-32201 that was patched in April.
According to The Register, RedSun and UnDefend remained unfixed at the time of publication, and proof-of-concept code for the flaws was reportedly picked up quickly and abused in real-world attacks.
[1] https://github.com/Nightmare-Eclipse
[2] https://github.com/Nightmare-Eclipse/YellowKey
[3] https://github.com/Nightmare-Eclipse/GreenPlasma
[4] https://github.com/Nightmare-Eclipse/RedSun
[5] https://github.com/Nightmare-Eclipse/UnDefend
[6] https://github.com/Nightmare-Eclipse/BlueHammer
This may be a boon for people locked out. (Score:4, Interesting)
My non-computer interested sister is one... she left her machine off for a while and it, for whatever reason bitlocked itself. She's not really organized so she didn't know her microsoft account or the pass. Ms would not help, just to let us know which account she needs to log into to get her key. So she lost a bunch of personal work. Thanks MS.
Re: (Score:2)
happy to help, this kind of forward looking customer support is something that is our top priority, our Top Priority
Re: (Score:3, Insightful)
Bcause your sister couldn't be bothered to write things down, this is MS' fault?
Re: (Score:3, Insightful)
It's his sister's fault she didn't preserve the key.
It's Mickeysoft's fault they locked the computer for no reason. Locking a normal user's desktop computer (i.e. not one with additional security-related group policy) just because they weren't using it is both user-hostile and pathetic. It gives off strong "Notice me senpai" energy.
There are no heroes in this story, but that goes triple for Microsoft's user-hostile defaults.
Re: (Score:2)
I also think there is a lesson here about cryptography on consumer devices.
I really don't think encrypting data at rest, where it isn't absolutely expected like password safe should default on. Key management is hard, the threat model most consumers face simply has them needing (or at least wishing for) offline data recovery a lot more frequently than 'oh shit I left the laptop on the bus' when their reality is the laptop never leaves the house.
Mixing data encryption with identity tools neither of which the
Re: (Score:3)
> It's Mickeysoft's fault they locked the computer for no reason.
No it's your fault for believing this insanely stupid story. Enabling bitlocker is a process with quite a few steps. At no point does it either enable itself - there's no mechanism for it to do so, and even if that process was started (even admins can't remotely enable bitlocker unless the machine is tied to a domain account) there would be many dialogues to click through before the encryption process is even started.
Things we don't know for certain:
a) Did laxr5rs' sister lie to him to save face?
b) Did laxr
Re: (Score:2)
> At no point does it either enable itself - there's no mechanism for it to do so
You buy a computer with Windows 10/11 Home.
You sign in with a Microsoft account.
Microsoft backs up your encryption key and starts encrypting the drive. Yes, they call it "device encryption" and not Bitlocker, but that's only semantics because they had already branded Bitlocker as a Pro feature.
Re: This may be a boon for people locked out. (Score:2)
Why donâ(TM)t Microsoft do what Apple offers? In their case, if you donâ(TM)t remember the password to your Mac or have a copy of the FileVault key, you can recover it through your iCloud account. At one time, it was optional to store online; I donâ(TM)t know if thatâ(TM)s still the case. I know this because recently I somehow mistyped my password the same way twice when I changed it and had to go through the fairly simple recovery process, even though I only use local accounts. So I
Re: (Score:2)
> she didn't know her microsoft account
Microsoft does that same thing, there's an offline key and a key stored in the cloud accessed through a Microsoft account.
Hardly Microsoft's fault that she didn't write down the offline key and couldn't remember her password.
Re: (Score:2)
Bitlocker doesn't trigger from lack of use though. It's basically just when hardware signature changes are detected.
And it's wild to blame Microsoft if they didn't write down their offline key, can't remember their Microsoft account password, or be able to do any of the things required to recover their Microsoft account.
Re:This may be a boon for people locked out. (Score:4, Interesting)
I resd a story about someone with Bitcoin keys on a laptop which they lost access to.
It was put on a shelf waiting for an exploit like this.
Re: (Score:2)
> she left her machine off for a while and it, for whatever reason bitlocked itself
She's either lying to you or you are lying to us.
Mystery MS Bug Leaker secret origin (Score:4, Funny)
All because you parked in his handicap spot.
Re: (Score:3, Informative)
Steve Jobs say's hi
BitLocker isn't the only one, of course (Score:2)
VeraCrypt is a particularly strong full-disk encryption, although you don't hear much of companies using it. However, BitLocker security issues keep getting mentioned and it looks like VeraCrypt fixed a number of theirs. However, code quality seems to be listed as unclear on some sites. Not sure how true that actually is though.
BestCrypt is another, but I'm not happy they permit fragile encryption schemes, as those could potentially be used by the software as standard for something important. Being commerci
Re: (Score:2)
> BitLocker seems to be a typical Microsoft failure in terms of what it does, used only because it's Microsoft and that gives CTOs and CFOs someone to blame.
Bitlocker does the absolute legal bare minimum.
If it were very secure, idiot CTOs and CFOs would be getting fired weekly for losing/forgetting their decryption pass phrases and subsequently permanently losing company data. Which they would never agree to.
Patch or withdraw from the market (Score:5, Interesting)
The EU Cyber Resilience Act (CRA) (fully applicable from January 16, 2027 onwards) mandates that manufacturers of products with digital elements (like Windows) must patch or mitigate disclosed vulnerabilities without undue delay (Article 10). For critical vulnerabilities, patches must be provided within 14 days of discovery (or sooner if actively exploited). For non-critical vulnerabilities, the deadline is 30 days.
Under the (CRA), should Microsoft fail to address a disclosed zero day vulnerability in Windows within the mandated timeframe or neglect to provide adequate mitigation measures, the product may no longer be permitted for distribution within the European market. Authorities would deem such inaction a breach of the regulation’s requirements, particularly if the vulnerability remains unpatched while being actively exploited. In such an instance, enforcement bodies could impose a suspension on the sale or distribution of Windows until Microsoft rectifies the issue, issues the necessary patches, and ensures compliance with the Act’s provisions. This measure serves to protect users from undue risk and uphold the integrity of digital products under the new regulatory framework.
Re: (Score:2, Insightful)
adequate mitigation measures - Use a bitlocker PIN.
DONE... Unless of punishing Microsoft is a useful trade negotiating tactic this week.
Things like the CRA are vague and their only real use is as a cudgel for regulators to threaten anyone they don't like with. The result is politically capricious uneven enforcement. Note this isn't a EU problem specifically the USA has so much of this same frightening freedom destroying BS law on the books, I am not casting a stone here, but exactly nobody who cares about
Re: (Score:2)
Stuff like this is actually a big deal in governments. They use *a lot* of Windows laptops, locked down to tight to handle classified material. Full Disk Encryption is a requirement because that way, if the laptop gets stolen, the thief can't get to cached copies or even actual copies of classified data from the hard disk.
If you can (quite easily) get to the data on the disk, then the data security of the device is lost, which means you can no longer work on classified material. That's pretty much the end o
Re: (Score:2)
The problem is low level bugs have a tendency to have their tendrils in far more places than it appears.
Fixing a bug in 14 days? That may be reasonable if it's an application like Microsoft Word, but even then it likely isn't enough to be realistic. Even Google's 30 days was unrealistic.
The problem comes down to how central the component is - there are things where you need to do full regression testing because it's such a critical component that any change could break something.
If you demand a fix in 14 da
Bill? (Score:2)
Is that you?
Re: (Score:2)
Bill's [1]not really [yahoo.com] an ex-anything.
[1] https://tech.yahoo.com/ai/articles/bill-gates-continues-backstage-manage-172901766.html
BlueHammer ot a zero day (Score:3)
" The other zero-days leaked include .... BlueHammer, a separate Microsoft vulnerability tracked as CVE-2026-32201 that was patched in April. "
By definition, if a patch is available it is not a zero day.
Re: (Score:1)
> " The other zero-days leaked include .... BlueHammer, a separate Microsoft vulnerability tracked as CVE-2026-32201 that was patched in April. " By definition, if a patch is available it is not a zero day.
For clarity, the BlueHammer exploit was released on the 3rd of April and the patch was issued on the 14th of April. By definition, if it's not patched at the time of release, it's a [1]zero day [wikipedia.org].
[1] https://en.wikipedia.org/wiki/Zero-day_vulnerability
Re: (Score:2)
> if it's not patched at the time of release, it's a [1]zero day [wikipedia.org].
You didn't read your own link. When Microsoft (or the users in general) finds out about the vulnerability, that is day 1. Before that is day zero.
If Microsoft found out about the exploit on the third of April, then that was day one.
Then day two was April 4th.
Day three was April 5th.
Etc. you should be able to do this kind of math.
[1] https://en.wikipedia.org/wiki/Zero-day_vulnerability
Re: (Score:3)
patch was available after the disclosure from all accounts
Surprised that automatic unlock is a risk? (Score:2)
Bitlocker without a PIN is a setup where a normal boot of the machine decrypts the disk without any user interaction. Why would it be a surprise if it was possible to alternate boot from USB and also be able to automatically decrypt the disk? This would be true for any disk encryption software that doesn't require the user to enter a PIN or password at boot time. If you can boot from alternate boot media, pretty much any operating system would allow that alternate boot to have access to the underlying file
Running Windows (Score:4, Informative)
...continues to be its own reward.
I don't miss it at all.
Re: (Score:2)
Hey, did you hear about that privilege escalation bug in Linux?
Re: (Score:2)
> ...continues to be its own reward.
> I don't miss it at all.
That's funny, because close to everyone on Slashdot say they don't use Bitlocker and thus aren't affected by this exploit.
Anyway, what should I run instead? Linux? I mean do you want to count which OS has had the highest numbers of security related stories here in the past couple of weeks? You're not going to like the answer.
Defence in depth people. You shouldn't assume your OS is perfectly secure. You shouldn't assume your applications are perfectly secure. You shouldn't assume your supply chain is perfect
Re: (Score:2)
> Anyway, what should I run instead? Linux? I mean do you want to count which OS has had the highest numbers of security related stories here in the past couple of weeks? You're not going to like the answer.
Only if cherry picking the last few weeks is the only way to support your argument. If you look at Windows security vs Linux security historically, your argument would be pathetic.
> Defence in depth people. You shouldn't assume your OS is perfectly secure. . .
No one said that. That's a strawman argument at best. No OS is perfectly secure. However what I know is Windows had been historically ridden with exploit after exploit.