December 6, 2024 at 11:37AM
A new zero-day vulnerability allows attackers to capture NTLM credentials via malicious files in Windows Explorer, affecting all Windows versions from 7 to 11. Discovered by 0patch, the flaw lacks an official fix from Microsoft. 0patch will provide a free micropatch while users can also disable NTLM authentication.
### Meeting Notes Takeaways:
1. **Discovery of Vulnerability**: A new zero-day vulnerability has been identified that allows attackers to capture NTLM credentials just by getting targets to view a malicious file in Windows Explorer.
2. **Affected Versions**: This vulnerability impacts all Windows versions from Windows 7 and Server 2008 R2 up to Windows 11 24H2 and Server 2022.
3. **Details Withheld**: The 0patch team has withheld technical details of the exploit until Microsoft provides an official fix to prevent further exploitation.
4. **Mechanism of the Attack**:
– No user action (like opening a file) is needed other than viewing the malicious file.
– This results in an outbound NTLM connection to a remote share, leading to the automatic transmission of NTLM hashes to the attacker.
5. **Potential Risks**: The stolen NTLM hashes can be cracked, giving attackers access to login names and plaintext passwords.
6. **Unaddressed Vulnerabilities**: This vulnerability is the third reported to Microsoft by 0patch that remains unfixed. Previous vulnerabilities include:
– Mark of the Web (MotW) bypass on Windows Server 2012
– Windows Themes vulnerability allowing for remote NTLM credentials theft.
7. **Micropatch Availability**:
– 0patch will provide a free micropatch for this zero-day to users registered on its platform until an official fix is released.
– PRO and Enterprise users will receive this micropatch automatically unless configured otherwise.
8. **Alternative Mitigation**: Users can disable NTLM authentication through Group Policy or registry modifications if they are hesitant to apply the unofficial patch.
9. **Awaiting Response from Microsoft**: An inquiry has been sent to Microsoft regarding the vulnerability and their plans for addressing it, and a response is pending.