Two new critical vulnerabilities in Windows, named YellowKey and GreenPlasma, have been publicly disclosed by a security researcher dissatisfied with Microsoft’s handling of security reports. These zero-day exploits, if leveraged, could enable attackers to bypass BitLocker and gain elevated privileges.
Understanding the YellowKey Exploit
The YellowKey vulnerability targets Windows’ BitLocker encryption system, which is designed to protect user data through hardware-based security measures using the Trusted Platform Module (TPM). Disclosed by a researcher known as Chaotic Eclipse, YellowKey allows an attacker with physical access to a Windows 11 machine to circumvent BitLocker and access encrypted storage volumes.
The proof-of-concept (PoC) for this exploit begins by copying specific files onto a USB or the EFI partition. The Windows device is then rebooted into the Windows Recovery Environment (WinRE), where a sequence of key presses unlocks access to the supposedly protected data. This has raised concerns about a potential backdoor within BitLocker’s architecture.
Insights into the GreenPlasma Exploit
Chaotic Eclipse also unveiled another zero-day exploit named GreenPlasma, which focuses on privilege escalation. This vulnerability enables attackers to gain System-level access, potentially allowing them to disable security protections and manipulate critical system processes.
The GreenPlasma PoC demonstrates creating arbitrary memory sections in directories writable by the System, which can be exploited to interfere with Windows services. Although the PoC lacks the full code to achieve System shell access, it highlights a significant risk for system integrity and security.
Impact and Industry Response
The disclosure of these vulnerabilities has caught the attention of several cybersecurity researchers who have verified the effectiveness of the exploits on recent Windows 11 builds. Notably, YellowKey also poses a threat to devices secured with a TPM PIN, contingent on the WinRE implementation.
Security experts like Joshua Roback from Swimlane emphasize the importance of scrutinizing any path that leads to System-level privileges, as it could facilitate broader attacks, including malware deployment. Ross Filipek from Corsica Technologies warns that public release of such PoCs accelerates the risk of these exploits being weaponized in real-world attacks.
Microsoft has been contacted for a statement regarding these zero-day vulnerabilities. The tech giant’s response and potential patches are anticipated by the cybersecurity community, especially in light of previous incidents where vulnerabilities were exploited shortly after disclosure.
These recent revelations underscore the ongoing challenges in maintaining robust security for operating systems and highlight the critical need for timely patches and updates to safeguard user data and system integrity.
