Become a fan of Slashdot on Facebook


Forgot your password?
Security Encryption Microsoft Windows

Microsoft Researchers Reveal Remote Encryption-Bypassing 'Evil Butler' Exploit ( 29

A security researcher demonstrated a way to bypass the full disk encryption in Windows BitLocker last November -- but that attack required physical access. Inserting the PC into a network with a counterfeit domain controller with incorrect time settings "allowed the attacker to poison the credentials cache and set a new password on the targeted device." An anonymous Slashdot reader writes: Microsoft fixed this vulnerability, and then fixed it again when two researchers pointed out in February 2016 that the fix was incomplete. At this year's Black Hat security conference, two Microsoft researchers have discovered a way to carry out the Evil Maid attack from a remote location, even over the Internet.

The two researchers say that an attacker can compromise a PC, configure it to work as a rogue domain controller, and then use Remote Desktop Protocol to access computers (that have open RDP connections) on the same network and carry out the attack from a distance. This particular attack, nicknamed a Remote Evil Butler, can be extremely attractive and valuable for cyber-espionage groups.

The article points out that Microsoft's February fix prevents this exploit, adding "The reason the two Microsoft researchers disclosed this variation of the original attack is to make companies understand the need to keep their systems up to date at all times."
This discussion has been archived. No new comments can be posted.

Microsoft Researchers Reveal Remote Encryption-Bypassing 'Evil Butler' Exploit

Comments Filter:
  • by ArtemaOne ( 1300025 ) on Sunday August 07, 2016 @05:52PM (#52661665)
    There are so many settings that I turn off on a new Windows installation. I really don't see why every back or front door has to be left open on a fresh install, upgrade, or update.
    • by akozakie ( 633875 ) on Sunday August 07, 2016 @06:32PM (#52661857)

      That's one thing. The other one is:

      "The reason the two Microsoft researchers disclosed this variation of the original attack is to make companies understand the need to keep their systems up to date at all times."

      At least one company I know blocked all updates for two reasons entirely under MS control. 1: Win10 is not cleared for use yet for many reasons, updates pushed GWX. 2: High priority updates containing nothing but telemetry. Not enough resources to test & review everything. That's one company looking for other options. Probable outcome - Win cleared for VM use only, under a different host.

      MS's feet are like a sieve from all the self-shooting. Future is not looking all that bright. Surprisingly, it's not due to buggy software - they're doing their best ever in that category. That's the price of allowing marketing&sales to touch the security feed.

      • Then that admin needs to be fired. I hope this company doesn't do any HIPPA or credit card processing.

    • by antdude ( 79039 )

      To make them easy for users to start using them. :(

  • I read the article and the researcher's PDF and neither really points out which "February Fix" MS released that addresses this particular bug. Anyone know which one, specifically?

    I have all Windows Updates turned off normally, so they can't pull a drive-by WinX install on me, but I would sideload this one KB if it was really worthwhile.

    • by Mister Transistor ( 259842 ) on Sunday August 07, 2016 @06:30PM (#52661849) Journal

      Did a little more research; MS-16-014 addresses the fix, and the KB's resulting from it are KB3126587 and KB3126593.

      However, oddly, they are not included in the "SP2" roll-up released on 5/12/2016. Weird. I tried to find out if those two KB's were replaced by something newer and I haven't been able to turn up anything.

      I did find a couple of articles about the KB's causing some errors and failing to install on some systems, usually caused by a lack of an earlier update that they apparently are dependent upon.

      • by Anonymous Coward

        Actually, all of the files from 3126587 (MS16-004) are updated by 3125574 (the convenience rollup). You can look at the files list from the KB article for 3126587 and download the files list for 3125574, and see the newer versions (in fact, the binaries are also put on the LDR branch when you install 3125574, which you may or may not want).

  • If your bitlocker drive is unlocked, wouldn't anything be able to read the drive anyway?

    If it can still read your bitlocker drive when you haven't unlocked it yet then can it still read pre-win8 bitlocker drives before microsoft dumbed it down? []

"No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one." -- Adrian Veidt/Ozymandias, WATCHMEN