Microsoft has released emergency fixes for three actively exploited zero-day vulnerabilities in Windows, including two flaws that grant attackers full SYSTEM-level control on fully patched machines and a third that bypasses BitLocker drive encryption protections.
The fixes arrived as part of Microsoft's regular Patch Tuesday cycle on 10 June, but the severity of the flaws — all three of which were already being exploited in the wild prior to disclosure — has prompted security professionals to urge immediate deployment rather than waiting for routine patch schedules.
Two Paths to SYSTEM-Level Dominance
The most critical of the three vulnerabilities, tracked internally with the codenames YellowKey and GreenPlasma, both enable local privilege escalation to SYSTEM — the highest level of access available on a Windows machine. A local attacker exploiting either flaw can effectively seize complete control of an affected system, bypassing security boundaries and unlocking the ability to install malicious software, access sensitive data, disable security tools, or move laterally across a network.
Because these are local privilege escalation rather than remote code execution bugs, an attacker would need an initial foothold on the target machine — for instance, through malware delivered via phishing, a compromised application, or stolen credentials. However, once that foothold is established, escalation to SYSTEM via these flaws would be near-trivial, making them exceptionally valuable to threat actors staging multi-phase intrusions.
Security researchers have noted a growing trend among sophisticated attackers who favour privilege escalation and security feature bypasses over noisier remote code execution exploits. These stealthier techniques are significantly harder for endpoint detection tools to flag, often serving as silent precursors to major breaches.
BitLocker Bypass Raises Ransomware and Compliance Fears
The third vulnerability, codenamed MiniPlasma, targets BitLocker, Microsoft's widely deployed full-disk encryption technology. The flaw allows an attacker to gain access to drives that are supposed to be protected by BitLocker encryption, effectively undermining a foundational layer of data-at-rest security.
The implications extend well beyond confidentiality. BitLocker is a cornerstone of many organisations' compliance frameworks — regulatory obligations around data protection often mandate or strongly recommend full-disk encryption on endpoint devices. A successful bypass could put organisations at odds with data protection requirements.
Perhaps more concerning is the potential for MiniPlasma to be weaponised alongside ransomware. Security analysts have flagged the possibility that attackers could chain the BitLocker bypass with encryption-based extortion, either disabling BitLocker before deploying ransomware or using the vulnerability to access data that organisations believed was protected. This would significantly increase the operational and financial impact of a ransomware campaign.
Why Immediate Patching Matters
While zero-day vulnerabilities disclosed during Patch Tuesday are not unprecedented, having three confirmed actively exploited in a single release raises the urgency considerably. The fact that threat actors had already been leveraging these flaws before a fix was available means that compromise may have already occurred in organisations that have not yet detected intrusions.
IT and security teams are advised not only to deploy the patches as quickly as possible across all Windows environments but also to conduct proactive threat hunting for indicators of prior compromise — particularly signs of privilege escalation activity or unexpected access to BitLocker-protected volumes.
Organisations relying on BitLocker as a primary data-at-rest control should additionally reassess whether their encryption deployments remain effective in light of the bypass, and consider supplementary protections until confidence in the patch's coverage is established.
Microsoft has not yet disclosed the full scope or timeline of the prior exploitation, nor whether specific sectors or regions were targeted. Those details, along with detection signatures and log patterns that could help defenders identify historical exploitation attempts, remain areas the security community will be watching closely in the days ahead.
Microsoft 已針對 Windows 中三個正遭積極利用的零日漏洞發布緊急修補程式。其中包括兩個可讓攻擊者在已完全更新的機器上取得完整 SYSTEM 級別控制權的漏洞,以及第三個可繞過 BitLocker 磁碟機加密保護的漏洞。
這些修補程式作為 Microsoft 常規 Patch Tuesday(每月安全更新)週期的一部分,於 6 月 10 日發佈。然而,由於所有三個漏洞在被揭露之前已遭在野利用,其嚴重性促使安全專家敦促立即部署,而非等待例行的修補排程。
兩條通往 SYSTEM 級別控制權的路徑
在三個漏洞中,最關鍵的兩個(內部代號分別為 YellowKey 及 GreenPlasma)均允許本地權限提升至 SYSTEM——即 Windows 機器上最高級別的存取權限。本地攻擊者利用其中任何一個漏洞,即可有效完全控制受影響的系統,繞過安全邊界,並獲得安裝惡意軟件、存取敏感數據、停用安全工具或於網絡內進行橫向移動的能力。
由於這些是本地權限提升而非遠程代碼執行漏洞,攻擊者需要先在目標機器上獲得一個初始立足點——例如透過釣魚攻擊散播的惡意軟件、受入侵的應用程式或被盜的憑證。然而,一旦確立此立足點,透過這些漏洞提升至 SYSTEM 權限將近乎輕而易舉,這使得它們對於策劃多階段入侵的威脅行為者而言異常寶貴。
安全研究人員指出,一個日益增長的趨勢是,複雜的攻擊者傾向於使用權限提升及安全功能繞過,而非較為喧鬧的遠程代碼執行漏洞利用。這些更隱蔽的技術更難被端點偵測工具標記,往往成為重大安全事件的無聲前兆。
BitLocker 繞過引發勒索軟件及合規性擔憂
第三個漏洞(代號 MiniPlasma)的目標是 Microsoft 廣泛部署的全磁碟加密技術 BitLocker。此漏洞允許攻擊者存取本應受 BitLocker 加密保護的磁碟機,實質上破壞了靜態數據安全的一個基礎層面。
其影響遠超保密性。BitLocker 是許多組織合規框架的基石——數據保護相關的法規義務通常強制或強烈建議對端點裝置進行全磁碟加密。成功的繞過可能使組織陷入違反數據保護要求的困境。
或許更令人擔憂的是 MiniPlasma 被武器化與勒索軟件結合的可能性。安全分析師已指出,攻擊者可能將 BitLocker 繞過漏洞與基於加密的勒索行為串聯——無論是在部署勒索軟件前停用 BitLocker,還是利用此漏洞存取組織原本認為已受保護的數據。這將顯著增加勒索軟件攻擊的操作及財務影響。
為何即時修補至關重要
雖然在 Patch Tuesday 期間揭露零日漏洞並非史無前例,但單次更新中有三個確認正遭在野利用的漏洞,這大大提升了緊迫性。威脅行為者在修補程式可用前已利用這些漏洞的事實意味著,那些尚未偵測到入侵的組織可能已經遭受入侵。
建議 IT 及安全團隊不僅要盡快在所有 Windows 環境中部署這些修補程式,還應主動進行威脅搜尋,尋找先前入侵的指標——特別是權限提升活動的跡象,或對受 BitLocker 保護的磁碟區進行未預期存取的跡象。
依賴 BitLocker 作為主要靜態數據控制措施的組織,應額外評估其加密部署在此繞過漏洞影響下是否仍然有效,並在對修補程式覆蓋範圍建立信心之前考慮實施額外保護措施。
Microsoft 尚未披露先前利用的完整範圍或時間線,亦未說明特定行業或地區是否成為目標。這些細節,連同可幫助防禦者識別歷史利用嘗試的偵測特徵碼及日誌模式,仍是安全社群在未來數日密切關注的領域。