Mystery Microsoft bug leaker keeps the zero-days coming(www.theregister.com)

118 pointsby e12e8 hours ago10 comments

ndiddy6 hours ago
I think the Bitlocker "vuln" is a good reminder not to use vendor provided encryption for any sensitive data. https://github.com/Nightmare-Eclipse/YellowKey/ You load a specific file onto a flash drive, plug it into a Bitlocker encrypted computer, reboot it while holding a key combination, and it pops up a command prompt with full access to the encrypted volume. There's no way this isn't a backdoor.
- aiscoming5 hours ago
  this exploit works only if you dont use a PIN/password for your Bitlocker and the volume automatically unlocks
  so it gives you access to an encrypted volume which automatically unlocks anyway
  the only difference is that it immediately gives you root access to the volume instead of having to go through the Windows login procedure - this might be a stolen laptop you dont have an account on
  - ndiddy5 hours ago
    The author claims the exploit also works with TPM+PIN, he just hasn't released the PoC:
    > Second thing is, No, TPM+PIN does not help, the issue is still exploitable regardless, I asked myself this question, can it still work in a TPM+PIN environment ? Yes it does, I'm just not publishing the PoC, I think what's out there is already bad enough.
    https://deadeclipse666.blogspot.com/2026/05/were-doing-silen...
    aiscoming4 hours ago
    they might mean "after you enter the bitlocker PIN you get root access without having a login password on the system" - still just a privilege escalation bug
    iscoelho4 hours ago
    That’s quite a stretch, to say the least.
    aiscoming3 hours ago
    claiming to have a 10 times more impressive PoC but not releasing it "out of goodness of heart" is also quite a stretch
    iscoelho3 hours ago
    Considering the researcher had already reported these to Microsoft, and delayed releasing them publicly until Microsoft "pulled every childish game possible" (quote) instead of patching them, it's not unreasonable for the researcher to be withholding another exploit from the public to limit harm.
    I also disagree that the PIN bypass would be "10 times more impressive," but that's just my professional opinion.
    sexylinux3 hours ago
    If you think about it for some minutes you will maybe understand that there are many reasons not to publish it.
- otterley5 hours ago
  > I think the Bitlocker "vuln" is a good reminder not to use vendor provided encryption for any sensitive data
  I don't think that's true. Some vendors have a better track record than others. Nobody's popped the storage encryption on iOS or MacOS devices yet AFAIK; and the fact that it's tied to a hardware secure element makes it pretty strong.
  - jiggawatts3 hours ago
    Microsoft quietly dropped support for encryption offload support ("OPAL") in SSD drives because the hardware vendors were doing absolute clown-shoes things like a single static hard-coded key or the key was literally empty / all zeroes!
    There's levels of trust/security.
    I generally trust Apple's device encryption, assume BitLocker can be popped by a well-equipped nation state attacker, and the rest I trust about as far as I can throw them.
    PS: A related issue was (is?) that the comms between the CPU and the TPM chip on the motherboard isn't encrypted, signed, or in any significant way protected! Apparently it's relatively trivial to extract various keys including BitLocker encryption keys by simply clipping an oscilloscope to the TPM chip pins.
    Reference: https://www.techcentral.ie/windows-bitlocker-no-longer-trust...
  - thefz5 hours ago
    You mean aside from the NSA? https://en.wikipedia.org/wiki/PRISM
    otterley5 hours ago
    I don't see anything on the linked page that supports a conclusion that NSA has successfully broken the encryption at rest of an Apple device's storage since they introduced the secure element.
    Care to share a quote?
    ffsm85 hours ago
    Prism targeted network communication to my knowledge, hence the data wouldn't be siphoned from at rest encrypted devices. Instead it would've been leaked before it was copied to that local encrypted device, whenever it was transmitted over the wire. Eg when your background task uploaded it to iCloud or similar.
    dcrazy5 hours ago
    It’s worth remembering that since Snowden, much of iCloud is now end-to-end encrypted using keys that Apple cannot unwrap: https://support.apple.com/guide/security/secure-icloud-keych...
    ffsm85 hours ago
    Fwiw, that's a clear statement - but only that.
    There is no way for us, the users, to know wherever they have the capability to add additional keys to decrypt the data because the platform isn't open source and doesn't have attestation wrt what's actually serving the requests.
    And it's worth remembering that apple had similar articles published before prism too which were ultimately proven to be groundless by prism.
    otterley4 hours ago
    What, exactly, was proven to be groundless?
  - Veserv5 hours ago
    Ah yes, the bizarro world where systems are normally unhackable so the default assumption is impenetrable security and you need to prove they are insecure.
    Thank god this is not the world where things get hacked all the time and where any claim of meaningful security is a extraordinary claim that demands extraordinary evidence and proof before credibly asserting it, but everybody just ignores that part and just pinky promises it and everybody just believes them for the 104th time without evidence.
    4 hours ago
    undefined
    otterley4 hours ago
    Sarcasm is not welcome on Hacker News.
    https://news.ycombinator.com/newsguidelines.html
    Please read and follow the guidelines. If you have something substantive to contribute, like a story about it being popped, or a technical critique of Apple’s implementation, please do so.
    You may also refer to Apple’s platform security white paper: https://help.apple.com/pdf/security/en_US/apple-platform-sec...
    leonidasrup2 hours ago
    Without access to source code this security white papers are equivalent to marketing papers.
    Veserv3 hours ago
    That is not how the burden of proof works. You have the burden to demonstrate your extraordinary claim of security adequate to stop the NSA, a claim that flies in the face of the overwhelming prevailing trend of insecurity both in the industry and Apple in particular.
    Your claim has been made without evidence. It can be dismissed without evidence. And that is ignoring the fact that it is a claim actually made against the evidence, both ambient and particular.
    And no, Apple marketing does not qualify as evidence. You need a competent, unbiased, third-party with demonstrated discriminatory power to support such a claim.
- zuzululu3 hours ago
  How does Bill Gates keep getting away with this
- sexylinux3 hours ago
  Do you know of a backdoor for Apple FileVault?
Havoc25 minutes ago
Seems odd that someone is both capable of this and homeless. This stuff has decent value on the grey market
__alexander7 hours ago
So weird that GitHub requires a login to view their BlueHammer repo.
https://github.com/Nightmare-Eclipse/BlueHammer
- dewey3 hours ago
  I'm logged in, but I'm seeing this now and can click on "View repository" or "Explore other repositories". Maybe that's why it's behind a login wall.
  > This repository contains malicious content that may cause technical harms. We have decided to preserve this content for security research purposes. Please exercise CAUTION when clicking links, downloading releases, or otherwise interacting with this repository.
- tsujamin6 hours ago
  That warning also doesn’t render right on my iPhone (the buttons are overlapping slightly), and I don’t recall seeing it on other repos. Is it new/bespoke?
purpleidea6 hours ago
It's so obvious that many of the bugs being found are/were most likely M$ backdoors.
There doesn't seem to be any other plausible explanation. The reckoning needs to come and people need to stop using their products for good.
Would love a whistleblower to explain which part of the government or company forced it.
- anonymars6 hours ago
  Haven't there been heaps of vulnerabilities cropping up all over recently, including CopyFail and Dirty Frag?
  - zuzululu3 hours ago
    yeah those have shaken a lot of people's confidence in Linux and I don't really see people ditching Windows either.
    In some ways the hysteria of sorts is peculiar....its not like we never had secure cybersecurity either its just that we have too much on the cloud and institutions of trust without questioning it because of herd behavior and empty suits.
    Like the timing of all of these seemingly disparate events from "mystery lonewolf" is too obvious and I'm not the one to entertain conspiracies either.
- youre-wrong33 hours ago
  It’s 2026 and we still have kids writing “M$” like they are cool.
  - lpcvoid3 hours ago
    [dead]
- blitzar3 hours ago
  They might be incompetent
NDlurker6 hours ago
Oh cool. My brother's old laptop is locked. Maybe this will help
- Charon776 hours ago
  Only affects win11
  - taspeotis5 hours ago
    Windows 11 is almost 5 years old at this point
  - NDlurker5 hours ago
    Haha I texted him about this and he said he already re-installed Windows. Bad timing. It was just a couple weeks ago he told me about this.
getcrunk3 hours ago
Anyone remember the Samsung ssd issue with bitlocker from maybe like a decade or so ago where it was an empty encryption key or something
NordStreamYacht6 hours ago
Laid off Microsoft researcher?
- zuzululu3 hours ago
  No way to know but the timing is peculiar....conspiracy?
aussieguy12346 hours ago
Could the Bitlocker vulnerability be a backdoor mandated by some government agency?
ChrisArchitect6 hours ago
Related:
YellowKey Bitlocker Bypass Vulnerability
https://news.ycombinator.com/item?id=48114997
quxuejun6 hours ago
i think so~