217
Microsoft issues mitigation for critical Windows 11 BitLocker flaw exploited with a USB key — "Can't come up with an explanation beside the fact that this was intentional." (www.windowscentral.com)
submitted 20 hours ago by sanitation@lemmy.radio to c/pcmasterrace@lemmy.world
14 comments fedilink hide all child comments
top 14 comments
sorted by: hot top controversial new old
[-] youcantreadthis@quokk.au 10 points 9 hours ago

Vibe coded operating system what could go wrong

[-] SleeplessCityLights@programming.dev 7 points 7 hours ago

Vibe coding did not exist when this was put it in.

[-] youcantreadthis@quokk.au 4 points 7 hours ago

Oh then yes back door no other explanation plus them being very sus

[-] SleeplessCityLights@programming.dev 2 points 5 hours ago

I think this is pretty straightforward, they put in a backdoor and someone found it.

[-] Wildmimic@anarchist.nexus 99 points 18 hours ago* (last edited 17 hours ago)

lol

Microsoft:

In the meantime, Microsoft recommends changing BitLocker’s configuration on encrypted devices from TPM-only mode to TPM+PIN mode using PowerShell, the command line, or the Control Panel. This adjustment requires a pre-boot PIN to decrypt the drive at startup and is expected to block YellowKey attacks.

Chaotic Eclipse posted the following with the disclosure of Yellowkey:

Second thing is, No, TPM+PIN does not help, the issue is still exploitable regardless, I asked myself this question, can it still work in a TPM+PIN environment ? Yes it does, I'm just not publishing the PoC, I think what's out there is already bad enough.

Additional info:

The YellowKey is caused by the binary "autofstx.exe" which propagates all present volumes for transaction files, a researcher (unsure if they want to be named) told me that this binary is also present in windows update WinRE images and I think they will definitely have the same vulnerability as well. However, I'm unsure if it's possible to trigger the controlled file deletion when windows is updating. If it's true, then it means disabling WinRE is not a solution for the problem, which also means it's a good thing that I kept the PIN+TPM PoC a secret.

And as response to this:

"Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices."

They posted:

Saying that I violated CVD best practices is a defamation of my personal reputation, you already told me you will defaming me and doing it in public will not help dissolve this conflict. You intentionally revoked my access to my MSRC account that I used to report vulnerabilities to you, when I asked you, you went ahead and completely wiped the account from existance despite multiple attempts from asking for an explanation. All of those requests went unanswered by the MSRC leadership.

I'm taking your statement very personally.

I have to say, i'm a fan.

Edit: The story so far would probably be well suited for an anime adaption. I hope we learn someday what shit MS pulled to make our friendly neighborhood security researcher so pissed that they started a one-person-crusade against one of the largest IT companies in the world.

[-] Wildmimic@anarchist.nexus 55 points 18 hours ago

Even better, they posted this last week:

After re-investigating the technique used in GreenPlasma (specifically SetPolicyVal), it turns out cldflt!HsmOsBlockPlaceholderAccess is still vulnerable to the exact same issue that was reported to Microsoft 6 years ago. I'm not taking full credit for this, James Forshaw from google project zero found the vulnerability and reported it to Microsoft and was supposedly fixed as CVE-2020-17103.

However, a research who's a friend of mine pointed out that the routine might still have a vulnerability, which is something I considered but brushed off because I thought it was impossible for Microsoft to just not patch this or rollback the patch.

After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched. I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes.

https://github.com/Nightmare-Eclipse/MiniPlasma https://deadeclipse666.removed/

[-] raspberriesareyummy@lemmy.world 13 points 17 hours ago

Chaotic Eclipse posted the following with the disclosure of Yellowkey:

Second thing is, No, TPM+PIN does not help, the issue is still exploitable regardless, I asked myself this question, can it still work in a TPM+PIN environment ? Yes it does, I’m just not publishing the PoC, I think what’s out there is already bad enough.

Additional info:

The YellowKey is caused by the binary “autofstx.exe” which propagates all present volumes for transaction files, a researcher (unsure if they want to be named) told me that this binary is also present in windows update WinRE images and I think they will definitely have the same vulnerability as well. However, I’m unsure if it’s possible to trigger the controlled file deletion when windows is updating. If it’s true, then it means disabling WinRE is not a solution for the problem, which also means it’s a good thing that I kept the PIN+TPM PoC a secret.

Would you happen to have a source link for those claims? I'd like to forward them to a few organisations I work with, warning them that devices currently lost/stolen/left unsupervised despite having TPM+PIN configured will have to be considered compromised even if a future patch comes out.

[-] Wildmimic@anarchist.nexus 18 points 15 hours ago* (last edited 15 hours ago)

it's the second link, https://deadeclipse666.removed/ - The entry is from May 13, titled "We're doing silent patches now huh, also a quick note about YellowKey", the second part is from May 14, titled "Important updates regarding YellowKey and GreenPlasma". They are the one who found the vulnerabilities, PoC for RedSun, BlueHammer, YellowKey, GreenPlasma and MiniPlasma are on GitHub @ https://github.com/Nightmare-Eclipse

[-] raspberriesareyummy@lemmy.world 1 points 8 hours ago

Thank you - it appears I stopped reading just one comment short of that, assuming that the "TPM+PIN is insecure" was a new comment, and not expecting it deeper down in the past.

[-] hemmes@lemmy.world 23 points 15 hours ago

This is what it looks like if lawmakers are allowed to pass legislation forcing back doors in encryption…but worse because it wouldn’t be just Windows.

[-] jasoman@lemmy.world 39 points 18 hours ago

Pray they don't backdoor it again.

[-] youcantreadthis@quokk.au 1 points 7 hours ago

That's not fair this could just be vibe coding there's no way to know you know ms dogfoods copilot requires everyone code

[-] OwOarchist@pawb.social 26 points 18 hours ago* (last edited 18 hours ago)

Corpo software will ALWAYS have backdoors.

Can't have those disgusting, smelly peasants locking their betters out of their home computer now, can we?

[-] KlausDieterFreddek@feddit.org 28 points 18 hours ago

Of course they will. That's why the actual "fix" will be in the next update. They first have to build a new backdoor before the old one is really closed.

this post was submitted on 22 May 2026
217 points (100.0% liked)

PC Master Race

21199 readers
1513 users here now

A community for PC Master Race.

Rules:

  1. No bigotry: Including racism, sexism, homophobia, transphobia, or xenophobia. Code of Conduct.
  2. Be respectful. Everyone should feel welcome here.
  3. No NSFW content.
  4. No Ads / Spamming.
  5. Be thoughtful and helpful: especially when new beginners have questions.

founded 2 years ago
MODERATORS
_MoveSwiftly@lemmy.world
Brunbrun6766@lemmy.world
IowaMan@lemmy.world
BobaFett26@lemmy.world
The_Vampire@lemmy.world
Fudgeknuckles98@lemmy.world
CatZoomies@lemmy.world
Xeon@lemmy.ml
geosoco@kbin.social