A flaw, called YellowKey, allows you to bypass BitLocker, the Windows 11 encryption system, with a USB key and a simple manipulation at startup. Microsoft, which does not yet have a patch to offer, is publishing two emergency measures to limit the risks.
A cybersecurity researcher recently discovered a major vulnerability affecting BitLocker, the encryption system built into Windows 11. The flaw allows bypass encrypted data protection in a very simple way. According to investigations carried out by Nightmare-Eclipse, the expert who discovered the flaw, all you need to do is copy a specific folder to a USB stick, insert it into the targeted computer, then start the machine by holding down the Ctrl key.
The operation automatically opens the recovery environment WinRE (Windows Recovery Environment). In it, the command prompt gives full access to the encrypted disk and all the data it contains, as if BitLocker did not exist. The flaw was named YellowKey. Faced with the outcry, Microsoft committed to investigating and deploying a security patch as soon as possible.
Also read: On Windows 11, how to secure the BitLocker encryption recovery key and erase it from Microsoft servers?
Two solutions to counter YellowKey
A few days later, the American publisher decided to highlight two solutions to protect yourselffor lack of being able to propose a real corrective. First of all, Microsoft consists of delete an entry in the Windows registry related to the program “autofstx.exe”. This manipulation prevents the vulnerable component from launching automatically when WinRE starts. This is a rather technical operation, which should be reserved for system administrators.
Furthermore, the vulnerability does not work on systems equipped with a TPM (Trusted Platform Module) chip with PIN code. This is what security researcher Will Dormann of the Tharros company discovered, denying Nightmare-Eclipse’s conclusions. This adds a PIN code that you will need to enter at each boot to decrypt the disk. It is imperative to configure a PIN code to protect yourself. Using a TPM chip is not enough. This setting is changed through PowerShell, Control Panel, or Microsoft Intune for business.
Microsoft regrets a “violation of best practices”
In the process, Microsoft castigated the practices of Nightmare-Eclipse. The publisher regrets that the researcher has disclosed the flaw on the Internet before warning itwhile releasing working exploit code for YellowKey. It’s a “violation of vulnerability management best practices”believes Microsoft. To put pressure on Microsoft, the researcher also posted a proof-of-concept (PoC), which concretely demonstrates how it is possible to exploit the flaw. This document obviously risks giving ideas to cybercriminals.
Note that Nightmare-Eclipse is not his first attempt. The researcher has already disclosed several Windows security vulnerabilities in the same waydont MiniPlasma, BlueHammer or even GreenPlasma. Each time he accompanies his discoveries with a technical demonstration aimed at provoking a rapid reaction from Microsoft.
👉🏻 Follow tech news in real time: add 01net to your sources on Google, and subscribe to our WhatsApp channel.
