Microsoft Denies a New Recall Security Vulnerability Claim

A security researcher claims to have found a security vulnerability in Recall, but Microsoft correctly disagrees.

“The VBS [virtualization-based security] enclave [that protects the Recall data] is rock solid,” the security researcher admits. “The fundamental problem isn’t the crypto, the enclave, the authentication, or the PPL [protected process light]. It’s sending decrypted content to an unprotected process [the Recall timeline app] for rendering. The vault door is titanium. The wall next to it is drywall.”

What’s he trying to say is that Recall protects user data exactly the way Microsoft has always claimed, but once a user signs into Windows, it’s possible for them to run an app, malicious or otherwise, that can access that data. So this isn’t even a social engineering attack, let a security vulnerability.

Which explains why Microsoft closed its investigation into this issue as “Not a Vulnerability.” And to give credit to this security researcher, who previously claimed to break into Recall almost two years ago by hacking it out of pre-release builds and removing all the security protections, this time he at least alerted Microsoft before publishing his findings. That’s what security researchers are supposed to.

“The behavior observed operates within the current, documented security design of Recall,” Microsoft explained to the researcher. “The access patterns demonstrated are consistent with intended protections and existing controls.”

Microsoft also references a September 2024 blog post in which it explains that users must use Windows Hello Enhanced Sign-in Security (Windows Hello ESS) to authorize access to the VBS-protected Recall data temporarily, which “restricts attempts by latent malware trying to ’ride along’ with a user authentication to steal data.”

My stance on this is simple enough. Yes, this is Microsoft, so we should expect mistakes. But it’s also been almost two years since this individual fraudulently claimed that Recall was a security nightmare and this is all he could come up with. “Recall doesn’t just take screenshots,” he writes. “It builds a comprehensive behavioral profile of everything you do on your computer.” Left unsaid: None of this information is transmitted to Microsoft or anywhere outside the PC.

In short, this feature is working as Microsoft describes it. And after buying a compatible Copilot+ PC, you can opt-in to Recall if you want this functionality, and you can ignore it if you don’t. Anyone who’s still concerned about Recall would never enable it to begin with.