Autonomous IT

Tom (00:00)
Hello everybody and welcome to July. We've made it to the seventh month of the year already. And we're here on this wonderful Tuesday to talk about some amazing fixes Microsoft has released in their products on this Patch Tuesday. I'm Tom, thanks for joining. It's been a very long time since I've been on this podcast, but...

I'm happy to be filling in for Ryan while he's on vacation, making the rest of us jealous. So yeah, definitely an interesting, ⁓ patch Tuesday week. got some, some good things to talk about here in, these, in these release notes. And, you know, the first one that we kind of ran through internally, right? Is more BitLocker bypasses and specifically for this one.

CVE-2025-48001, which is kind of a race condition in BitLocker that allows kind of a physical attack on devices, which I thought was really, really, really interesting. But, you know, I'm curious, Seth, what are your thoughts on this one specifically?

Seth Hoyt (01:14)
Yeah, so like you said, this one is a physical attack. You actually have to have the device in front of you. And ⁓ so for this one, basically what's broken here is BitLocker is, ⁓ it's like a pre-boot process. So the system checks the protection state. So that would be like what the TPM holds. And ⁓ then it'll check like the boot drives, things like that. And then after that check happens,

it ⁓ actually releases it to RAM and then it can then decrypt the drive. So what's happening here is a time of check and a time of use race condition. again, as I was saying, so the BitLocker boot environment will verify the TPM values, the secure boot state and the required filter drives.

And then after that check happens is the time of use. So immediately after that, it unseals the full volume encryption key and then it places it in memory for it to use. So what happens here is the vulnerability will arise because the attacker with direct access to that hardware. So, you know, again, this, this is going to affect lost or stolen laptops and this primarily affects, well, it's anybody that uses.

BitLocker, but you know a lot of corporations are using BitLocker and are relying on that to Keep their device secure in the event it gets lost or stolen So that's what they that's that's how this attack works ⁓ So basically what would happen is you know you have an adversary that would steal a laptop and have physical control of that and You know it's a pirate power to offer in hibernate ⁓

they would attach what's called a DMA capable device ⁓ or swap the drives registry ⁓ or filter drive configuration during the bootloader. So that's kind of how it works. And then from there, ⁓ they bypass encryption. have access to that key. So ⁓ from there, they can do anything. can data exfil, they can try priv-esc. There's a ton of different things they can do.

have full access to the hard drive at that point, completely unencrypted. So to kind of mitigate that, you can do other ⁓ things in the BIOS. You can do like a pre-boot pin, where before all of those checks even happen, you have to put in a pin or a password. You know, can tighten up physical security ⁓ and then of course, you know, patching.

patching will hopefully fix this. yeah, that's basically it on that

Tom (04:15)
Yeah, it's absolutely crazy to me how low this is rated, right? Because you make such a great point about lost or stolen laptops, because often those things don't get wiped, right? Because they never connect to the internet again. They're just kind of stolen and then placed somewhere in a wheelhouse, sent overseas to ⁓ another country to be kind of, you know, stored until vulnerabilities like this happen and then they can kind of... ⁓

you know, bypass BitLocker with a physical device at hand and then do what they may with the device after the contents of the hard drive are decrypted, right? So to me, this feels like one of those like, yeah, it's low and they're kind of downplaying. Well, the attack vector, you got to have physical access to the device, but you know, no one really cares about stolen devices these days. You know, no one's really retrieving them. They're mostly just writing it off and then buying the employee.

a new device, right? And completely relying on, you know, built-in features within Mac or within Windows to protect the confidentiality of these drives. So it's crazy how low this is rated given, I think, the implications for everyone involved. So, yeah, really, really interesting. Speaking of booting, know, secure boot certificates expire June of next year, which is...

Yeah, quite the interesting timing and a little bit of ⁓ Microsoft giving us a one year heads up, which I think is probably not enough time given how this industry industry works. And, you know, I'm real curious, Cody, what your take on this one is specifically.

Cody (06:00)
Yeah, this is going to be interesting. ⁓ So basically everything that's not a Copilot Plus PC released this year, I think as of April this year is going to be affected by this. you will have to go and... So there's two routes to this. One is that ⁓ you are an enterprise customer and you have to be opted into updates. Otherwise ⁓ you will not get the update for some reason.

The second route is for everybody who's not enterprise and you have to kind of follow the little workflow logic of you have to go edit your registry keys and you have to set a specific key to a weird d value or d word value, which is like 5944, which gets you opted into the AutoPatch service.

Tom (06:31)
You

Cody (06:59)
The other concern with all of this is, so these are all expiring and it seems like the only way that they're willing to update devices is if you are also sending diagnostic data. So if you're worried about sending ⁓ telemetry back to Microsoft, it gets even harder to try to update your secure boot stuff. ⁓ I don't know, I guess the risk is quite large though, because you won't be able to install. ⁓

secure boot updates, you won't be able to trust third party software after June of next year for most, and October for a couple of them. And then you won't be able to update your boot manager after October. So, quite the litany of problems if you cannot get this solved. Luckily, they are making it somewhat easy to do. And they do have a page that you can go, you can go download their app and it'll let you know if...

Tom (07:36)
Yeah.

Yeah.

Cody (07:54)
if you're already opted in or if everything's set up correctly. So it'll do the registry key checks and everything for you. ⁓ And I believe they've already started rolling out updates. ⁓

Tom (08:03)
Thanks.

Cody (08:10)
as of last month and they are still going to release a secure boot update for Windows 10 after October 2025 because I believe October of this year is when they stop support entirely for Windows 10 but they have committed to updating everything for that as well.

Seth Hoyt (08:30)
Yeah, the other thing with that secure boot, that's kind of like your first line of defense against boot kits too. So after that certificate expires, like that leaves anything that's not updated at risk.

Tom (08:31)
Nice.

Yeah.

⁓ absolutely.

Cody (08:42)
Yeah. And

another one to think of too is if you currently have secure boot disabled, you will also not be able to get the updated certificates. So they're recommending that you turn secure boot on to get the updates. And then if you want it off to turn it back off. So that's, it's kind of a mess. And yeah, I agree. One year in, you know,

Tom (09:04)
man. Yeah.

Cody (09:09)
enterprise stuff is just not long enough. ⁓ So I think we're going to, I think we're going to see a lot of physical devices just have secure boot issues and we're probably going to see a lot of people just unable to use third party software in about a year.

Tom (09:19)
Mm-hmm.

Yeah.

I mean, outside of the enterprise, just, Windows is still king everywhere. And I just can't imagine like walking your grandma through this nasty problem, right? Like it just, there's gotta be an easier way here. And I appreciate the all the guidance Microsoft provided in their article and those kinds of things. But these are the things I think about is like, okay, cool. Well, most devices in the enterprise are MDM and we can push down like a.

Cody (09:34)
Yes.

Seth Hoyt (09:37)
Right.

Cody (09:37)
Yeah.

Tom (09:56)
group policy or something, or you could write it an Automox Worklet or whatever to manage this kind of registry value. But, you know, if your grandma, that computer that your kids use or whatever, you know, do they even know, do they even care? Are they gonna, is there gonna be pop-ups, right? That could walk somebody through it on devices that are not enterprise managed is where my head goes.

Cody (10:21)
But if you see pop-ups, don't click them.

Seth Hoyt (10:24)
Yeah.

Tom (10:26)
Never click a pop-up. That's so true. That's so true.

Cody (10:29)
Look, Tom, it's 2025. If your grandmother doesn't know how to edit the registry yet, we got it.

Tom (10:34)
It's true.

Maybe Co-Pilot can do that for us. We can just ask it like, hey, can you update this registry value so I'm ready for secure boot? Missed opportunity by Microsoft, if you're asking me right here, Co-Pilot use, boom, done. Let them know. Absolutely. Cool. ⁓ Just to summarize all the Microsoft ones that we found interesting.

Cody (10:40)
yeah, yeah.

you

Tom (11:04)
Obviously BitLocker, right? Make sure you're, keeping that up and keep an eye out on these expiring certificates in secure boot as, as that rolls out before it expires in June of next year. A couple of other things that really piqued our interest this, these past couple of weeks, right? Is CVE-2025-32463, which is another chroot vulnerability. And

Yeah, it's just, feels like another one of those Linux things where, right. The hardest, the easy part is getting on the host, right. And when you're a low priv user in Linux, a lot of times you can't really do much, right. Like people do in the modern world usually do a pretty good job of like, you know, only running things as low priv users or

applications like NGINX or Apache do a good job of, you know, reducing capabilities down to like a user level instead of running as root. But, you know, getting on a, getting on a box and finding, you know, an outdated chroot or an outdated sudo is, a really, really, I think easy find these days and especially in, you know, outside of the enterprise and like CTF land, right? All of these things, all of these things always remind me of that, right? Like,

a hack the box type machine where you got to exploit this single vulnerability. But, you know, I'm curious to your thoughts on this one, Cody as well.

Cody (12:34)
Yeah, so this one's interesting because the vulnerability is in between where it starts to pivot the root and unpivot the root in the truth binary. So for one, you should never rely on truth as a security mechanism. It has so many problems that it's been exploited many times over, but it is a good.

part of the security onion, I guess. But in between the parts where it starts to pivot the root ID of ⁓ the virtual change root, ⁓ it makes a call out to NSSwitch. So one of the big problems is that ⁓ you can chroot into a directory and you can overwrite the NSSwitch and that allows you to ⁓

load shared libraries. So you can do like completely complete shared objects. I think the demo that they have for like the POC that they have involves just calling ⁓ password, etc/password. So it's able to dump the entirety of password into the chroot-ed binary environment. ⁓ But it's pretty trivial to make it do anything else. If you

I'm sure we'll link the article to it near the bottom of the article. can see the call chain and inside there, you can just chain out to as many DLLs as you want it looks like. And then kind of circumvents the PAM approval as well, which was another interesting one that I saw. And yeah, I mean.

Tom (14:12)
Yeah.

Cody (14:21)
Being able to do this is very trivial. It's like 20 lines of code or less. I think what ends up being, well, actually the POC itself is eight lines or nine lines of code. So yeah, in nine lines, you've got root.

Tom (14:26)
Hahaha

amazing, right? Just, just amazing. And these things too, you know, sometimes these things can lead to like container breakouts or, or other similar, you know, attack vectors when, when you're operating in like a containerized environment as so many enterprises use today. And, know, a lot of the, a lot of the industry doesn't necessarily think about these kinds of deep kernel exploits, right? Of, of containers and Kubernetes and all these things because they're, well, it's in a, it's in a container. It's fine. Right. But.

The reality is, it's like everything is shared underneath, right? In a lot of senses. So, like NS switch and all those commands still apply in a containerized environment. So just because you're running a container doesn't necessarily mean you're safe from this. So, you know, keep an eye out for, for a lot of those things, but yeah, just another, all these tools that we just trust, right? Well, you know, sudo and chroot and all these kinds of security.

It's funny because we've talked only about security kind of controls, right? In this, in this podcast so far BitLocker and secure boot and all these tools are, are often just as exploited as, you know, Word, or, ⁓ other type tools. Right. So it's the attack services always there ever, ever growing in, the industry. ⁓ speaking of attack surface, right? The, the one final thing we wanted to talk about today was this, this .zip trick.

which unfortunately, you know, to me feels really just weird, right? Like all these .zip tricks and all these polymorphic attacks that you see sometimes, you know, these texts and JPEGs and those sort of things are always interesting, right? How you can abuse a trusted system like a .zip file or other similar things and you know.

bypass security measures or exploit systems or do those kinds of things. ⁓ You sometimes it's a little researchy when you're reading through these exploit chains, but I do think that, you know, something like this one is probably a little less ⁓ researchy and a little more practical in the day to day. And I'm curious to y'all thoughts on that one.

Cody (16:58)
Yeah, this one's interesting. They take the approach of not polymorphic, but schizophrenic .zip. That's what they're calling it. yeah, so the way that I'm understanding it is you're basically modifying part of like the end of central directory record at the top and you're hiding files at the beginning of central directory.

Tom (17:04)
Perfect, you know?

Cody (17:25)
but you're modifying the offset, so you're only showing a specific subset of files. And I guess one of the ways that, or one of the technical demonstrations they did were with invoices. So they're showing you one invoice and like this PDF inside the .zip and you go to, you know, go pay, go to pay the invoice, I guess. And it's sending off a separate PDF file to a different company with all of your bank account information.

⁓ so yeah, ⁓ lots of weird stuff to this one, but it seems very, I mean, it's very trivial. It's another trivial one, you know, just modifying the header and the other .zip header. that's, that's it. ⁓

Tom (18:09)
Mm-hmm Yeah, right and you know to

Seth Hoyt (18:12)
So like with this one when you

And then, like, because you would just create a directory with both benign and malicious files. ⁓ Like, that's pretty basic.

Tom (18:23)
Yeah, absolutely.

Cody (18:24)
Yeah. And

the other big one too is a lot of the hidden files can be executed without, you know, you ever even seeing them. So, ⁓ while it's, it's being skipped in like the view state. So if you go to look at the .zip, like the .zip directory, you don't see the files in there, but as you're unzipping it, can, it can execute stuff inside that hidden area of the central directory.

Tom (18:49)
Yeah. Who's going to look at, you know, what's unzipping versus what they previewed, right? Like it's just one of those areas in, in, in the modern workforce. just blindly trust, right? Like a .zip file. No one knows that it could be used for like these kinds of abuse mechanisms. So yeah, just a great place to kind of attack, you know, attack, attack a company, whether, whether you, ⁓ whether you, you know, you're doing it for a malicious intent.

or maybe like an academic type of red team exercise like this article shows specifically. It's just, know, everything can be abused and all of these trusted systems we have in the modern workforce is right for exploitation, right? And that's the unfortunate reality of security. You know, you always got to be paranoid about everything. Well, cool.

Cody (19:40)
Yeah.

the other interesting part of it was, ⁓ I guess one of the things they noticed is that it will detect the software stack that you're on and change the visibility in the central directory based on that. So like they're talking about attempting to target somebody who approves invoices. So they'll approve the correct one. So it looks correct because obviously they're going to be able to validate it. But when the

Tom (20:01)
Mm-hmm.

Yeah.

Cody (20:05)
when your finance team goes to pay it, you your finance team has no idea about your IT stack, right? So it's detecting that they're running like payment software or whatever, QuickBooks 2003, who knows? ⁓ you know, and that's when it'll change the visibility of the file. So I thought that was interesting too.

Tom (20:11)
None. Fright.

No way, no way, no way.

Yeah, absolutely. know, I mean, it's true to name, true to name for sure. Cool. Well, that's kind of all we had today. We appreciate your continued support as we ramble on about ⁓ Microsoft's latest ⁓ release notes and some other interesting things we find there and around the web. Happy July, everybody. And thank you all for tuning in to this episode of

Cody (20:30)
And that's where the schizophrenic part comes in.

Tom (20:59)
Fix Tuesday.