[jeroenhd]

The backdoor could be a bug, but I don't really understand how it happened.

The attack works by having an NTFS log get replayed against another partition than the one the log is stored on.

Sending the right signals to unlock Bitlocker in TPM-only mode is a necessity for recovery operations. Managing to replace the executable launched post verification is a plausible attack vector.

The weird thing is why it's possible to put the corrupting transactions on a different disk than the one being updated.

In theory I think it would be possible that it's a combination of "all recovery partitions share the same FS identifier and are verified before transaction playback" (it is a pre-packaged WIM file after all) and "the transaction log stores the FS identifier of the partition the changes are meant for", but in my opinion the latter part is a very weird architecture to choose.

If this is a backdoor, I appreciate how clever they were hiding it. If this is a bug, the person who discovered it probably has a whole lot more ready to publish.

[Shank]

The thing that made Nightmare think it was a backdoor is that the bug is only present in the recovery version of the DLLs, not the one built into the system, and not prior versions of Windows. It’s also for a file system feature that Microsoft hasn’t “touched” in ages and they consider fairly esoteric.

[mittensc]

> The attack works by having an NTFS log get replayed against another partition than the one the log is stored on.

Obfuscated enough to pass internal reviews, sloppy enough to make it look like a bug.

Other reply makes it even more suspicious... change is new in a subsystem that hasnt been updated in a long tine and it's only present in recovery mode files.

Microsoft handle of this also screams it's not a regular bug and they're likely investigating or someone is trying to cover their ass.

What's even more troubling is that the fix would be a very simple/quick rollback of the change that introduced this... and that they haven't done that is interesting.