BitLocker Bypass via Windows Recovery Environment
A security researcher known as Chaotic Eclipse has disclosed a new zero day vulnerability that can bypass Microsoft’s BitLocker encryption. Dubbed YellowKey, the flaw resides in the Windows Recovery Environment (WinRE), a tool for troubleshooting boot issues. An attacker can exploit it by placing specially crafted Transactional NTFS (TxF) files on a USB drive or EFI partition. When the USB is plugged into a BitLocker protected Windows 11 or Windows Server 2022/2025 machine and the system is rebooted into WinRE, holding the CTRL key triggers a command prompt with full access to the unlocked drive. The researcher noted that even TPM combined with a PIN does not prevent the exploit, as the vulnerability operates at a deeper system level.
CTFMON Privilege Escalation Impact
The second zero day, named GreenPlasma, targets the Windows Collaborative Translation Framework (CTFMON), a component that manages text input and language features. This flaw allows an attacker to escalate privileges on a compromised system, potentially gaining administrative control. The researcher highlighted the severity of both flaws, suggesting that Microsoft’s security response team may struggle to find the root cause of the BitLocker bypass due to its intricate nature. Security expert Will Dormann confirmed he could reproduce YellowKey with a USB drive, noting that the TxF directory on one volume can modify files on another volume during recovery, which itself may represent a separate vulnerability.
Source: The Hacker News
