November 28, 2023 at 05:36AM
Researchers have discovered a cyber attack technique called “forced authentication” that can leak a Windows user’s NT LAN Manager (NTLM) tokens. The attack exploits a feature in Microsoft Access that allows users to link to external data sources, and it can be launched by tricking a victim into opening a specially crafted file. Microsoft has released mitigations for the issue, and 0patch has provided unofficial fixes for various Office versions.
Takeaways from the meeting notes:
1. Cybersecurity researchers have discovered a vulnerability in Microsoft Access that allows for the leak of NTLM tokens.
2. Attackers can exploit this vulnerability by tricking victims into opening specially crafted Access files or other file types such as .rtf.
3. The attack abuses the linked table feature in Access to embed a remote SQL Server database link and leak NTLM hashes to an attacker-controlled server.
4. The attacker sets up a server listening on port 80 and sends the file to the victim. Once the victim opens the file and clicks the linked table, the attacker can launch a relay attack with a targeted NTLM server.
5. Microsoft has released mitigations for the vulnerability in the Office/Access version, and 0patch has provided unofficial fixes for various Office versions.
6. Microsoft plans to discontinue NTLM in Windows 11 in favor of Kerberos for improved security.