A newly discovered Windows zero-day vulnerability has surfaced, enabling attackers to steal NTLM credentials with minimal user interaction. The flaw, reported by the security research platform 0patch, affects a wide range of Windows versions and currently lacks an official patch from Microsoft.
Zero-Day Vulnerability Overview
The vulnerability allows attackers to capture NTLM credentials by tricking users into viewing a malicious file in Windows Explorer. Notably, users don’t need to open the file—simply previewing it is enough to trigger the attack. This makes the exploit particularly concerning due to its clickless nature.
0patch disclosed the vulnerability to Microsoft but has refrained from sharing technical details until an official fix is released. Meanwhile, the company has issued a free micropatch for its users as a temporary defense measure.
Impacted Windows Versions
The vulnerability affects a wide range of Windows versions, including:
- Windows 7 and Server 2008 R2
- Windows 10 and 11 (all versions, including the latest Windows 11 24H2)
- Windows Server 2012 and Server 2022
Given the extent of affected systems, the risk of widespread exploitation is high unless mitigation steps are taken.
How the Exploit Works
The vulnerability leverages Windows’ handling of NTLM authentication requests. When a user views a malicious file in Windows Explorer, Windows automatically initiates an outbound NTLM connection to a remote share controlled by the attacker. This process sends NTLM hashes of the logged-in user’s credentials, which attackers can capture and potentially crack.
According to 0patch, the exploit can be triggered in several ways:
- Shared Folders or USB Drives: Viewing a malicious file stored in a shared network folder or USB drive.
- Web Downloads: Accessing the Downloads folder containing a previously downloaded malicious file.
These NTLM hashes can be cracked using publicly available tools, granting attackers access to login credentials, including plaintext passwords in some cases.
Microsoft’s Response and History
Despite being aware of the issue, Microsoft has not yet released an official fix. This vulnerability marks the third zero-day 0patch has reported to Microsoft in recent months without prompt action.
Previously reported vulnerabilities still lacking patches include:
- Mark of the Web (MotW) Bypass: A flaw impacting Windows Server 2012, allowing malicious files to bypass security warnings.
- Windows Themes Exploit: A vulnerability that enables remote NTLM credential theft via custom themes.
Additionally, similar NTLM-related exploits like PetitPotam, PrinterBug/SpoolSample, and DFSCoerce also remain unpatched.
Actionable Security Enhancements
While awaiting an official fix, organizations and individual users should take immediate steps to mitigate the risk:
Apply the Unofficial Patch from 0patch
- Step 1: Create a free account on 0patch Central.
- Step 2: Start a free trial and install the 0patch agent.
- Step 3: Allow the agent to automatically apply the micropatches (no reboot required).
Disable NTLM Authentication (Advanced Users/IT Teams)
- Open Group Policy Editor (
gpedit.msc
). - Navigate to Security Settings > Local Policies > Security Options.
- Configure Network security: Restrict NTLM policies as follows:
- Deny All NTLM Traffic.
- Audit Incoming NTLM Traffic (optional for monitoring).
- Open Group Policy Editor (
Modify the Windows Registry (If Comfortable with Advanced Changes)
- Use Registry Editor (
regedit
). - Adjust settings under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Create or adjust keys related to RestrictNTLM settings.
- Use Registry Editor (
General Security Practices
- Regular Updates: Ensure that Windows Update is enabled for critical patches.
- Network Monitoring: Use tools to detect unusual outbound NTLM traffic.
- Credential Guard: Consider enabling Windows Defender Credential Guard where available.
Future Outlook
Microsoft has previously indicated plans to phase out NTLM authentication in future versions of Windows 11. However, given the persistence of NTLM-related vulnerabilities, businesses and users should proactively disable NTLM where feasible.
0patch’s swift release of an unofficial patch highlights the urgent need for a comprehensive security response from Microsoft. Until an official fix arrives, following the recommended mitigation steps is crucial to staying protected from potential attacks.
Key Takeaway: Apply 0patch’s free micropatch, disable NTLM authentication, and monitor your network for suspicious activity to mitigate the risk of NTLM credential theft. Stay updated on Microsoft’s security advisories for an official fix.
Follow us on (Twitter) for real time updates and exclusive content.
Interesting Article : Mitel Patches Severe MiCollab Flaw Allowing Admin Access