{"id":8222,"date":"2026-05-21T01:08:41","date_gmt":"2026-05-21T01:08:41","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8222"},"modified":"2026-05-21T01:08:41","modified_gmt":"2026-05-21T01:08:41","slug":"microsoft-is-working-on-a-patch-for-yellowkey-attack-on-bitlocker-offers-temporary-fix","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8222","title":{"rendered":"Microsoft is working on a patch for \u2018YellowKey\u2019 attack on Bitlocker, offers temporary fix"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Microsoft says it is considering a patch for a zero-day vulnerability, dubbed YellowKey, that allows attackers with access to a Windows device to bypass Bitlocker encryption protection and read and write files. The flaw was disclosed last week, and there is already a public proof of concept available.<\/p>\n<p>The company <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-45585\" target=\"_blank\" rel=\"noopener\">issued an advisory<\/a> Tuesday saying that companies should act to mitigate the issue, tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-45585\" target=\"_blank\" rel=\"noopener\">CVE-2026-45585<\/a>, while it examines the possibility of a patch. In its advisory, it provided <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-45585#:~:text=The%20following%20mitigating%20factors\" target=\"_blank\" rel=\"noopener\">the immediate steps<\/a> that companies should take. A key defense against possible attack is to limit access to vulnerable devices, as physical access is required for exploit.<\/p>\n<p>\u201cOrganizations should\u00a0start by auditing their environment for the conditions that exist that leave them vulnerable to YellowKey,\u201d said <a href=\"https:\/\/www.linkedin.com\/in\/eric-grenier-29a99742\/\" target=\"_blank\" rel=\"noopener\">Eric Grenier<\/a>, senior director analyst at Gartner. \u201cThey should also have a clear understanding of their risk acceptance in the case of a lost\/stolen device and, based on that acceptance (or non-acceptance), follow the steps\u00a0such as customizing Secure Boot and\u00a0ensuring firmware and Boot integrity.\u201d .<\/p>\n<p>\u00a0<a href=\"https:\/\/www.linkedin.com\/in\/karl-fosaaen\/\" target=\"_blank\" rel=\"noopener\">Karl Fosaaen<\/a>, VP of research at cybersecurity company NetSPI, agreed. \u201cSince this vulnerability requires physical access to exploit, organizations should be focusing on the physical security controls around their Windows devices,\u201d he said. \u201cHaving strong policies and controls around physical access to devices is a good first step in helping protect the potentially vulnerable devices. If there are additional concerns about attackers being able to gain access to files on the system, organizations can look at limiting the data that they allow users to store locally.\u201d<\/p>\n<p>One of the issues facing companies is the proliferation of employees using mobile devices, which makes it harder for organizations to restrict access to them. \u201cYou\u2019re increasingly seeing companies with corporate data on their laptops, and YellowKey can leave that data unlocked,\u201d said <a href=\"https:\/\/www.linkedin.com\/in\/nathanjohnwebb\/\" target=\"_blank\" rel=\"noopener\">Nathan Davies-Webb<\/a>, principal consultant at UK-based security company Acumen. This is where tight device security policies come into play, such as prohibiting users from leaving devices unattended.<\/p>\n<p>However, said Fosaaen, what makes detection of an attack particularly difficult for the individual user is that it is not immediately apparent that a device has been targeted. \u201cIf an attacker used the exploit to read files from the encrypted volume, there likely wouldn\u2019t be any indicators to a user. If the attacker implanted malicious software, you might see increased system utilization, or other performance issues,\u201d he noted.<\/p>\n<p>To make things worse, it is also possible that Microsoft\u2019s mitigation guidance may not be effective. In a <a href=\"https:\/\/infosec.exchange\/@wdormann\/116604563324444723\" target=\"_blank\" rel=\"noopener\">post on a security site<\/a>, researcher Will Dormann pointed out that there could be a way to override the company\u2019s proposed solution. That being the case, IT managers will certainly be watching for a patch from Microsoft.<\/p>\n<p>While Microsoft has announced that it is looking into such a patch, Davies-Webb doesn\u2019t think a solution will be straightforward. \u201cI would heavily speculate that this is something that is there by design,\u201d he said. \u201cMicrosoft would be thinking \u2018If I stop this happening, what would I be taking away?\u2019 I strongly suspect that there is some functionality in Windows, maybe something in manufacturing, that could be affected by any patch.\u201d<\/p>\n<p>\u201cBesides,\u201d he added, \u201cIt could take some time for a patch to be released. The <a href=\"https:\/\/labs.cloudsecurityalliance.org\/research\/csa-research-note-defender-triple-zero-day-bluehammer-redsun\/\" target=\"_blank\" rel=\"noopener\">RedSun<\/a> vulnerability [in Windows Defender] was identified last month and still hasn\u2019t been patched.\u201d<\/p>\n<p><em>This article originally appeared on <a href=\"https:\/\/www.computerworld.com\/article\/4175345\/microsoft-is-working-on-a-patch-for-yellowkey-attack-on-bitlocker-offers-temporary-fix.html\" target=\"_blank\" rel=\"noopener\">Computerworld<\/a>.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Microsoft says it is considering a patch for a zero-day vulnerability, dubbed YellowKey, that allows attackers with access to a Windows device to bypass Bitlocker encryption protection and read and write files. The flaw was disclosed last week, and there is already a public proof of concept available. The company issued an advisory Tuesday saying [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8223,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8222","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8222"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8222"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8222\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8223"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}