NTLM credentials Archives

Winsage

December 10, 2024

Microsoft NTLM Zero-Day to Remain Unpatched Until April

Microsoft has issued new guidance to help organizations defend against NTLM relay attacks following the discovery of a zero-day vulnerability affecting all versions of Windows Workstation and Server, from Windows 7 to Windows 11. This vulnerability allows attackers to capture NTLM credentials by tricking users into opening a malicious file. Microsoft has classified the vulnerability as having moderate severity and expects a fix to be rolled out in April. This is the second NTLM credential leak zero-day reported to Microsoft by ACROS Security since October. Microsoft has updated its guidance on enabling Extended Protection for Authentication (EPA) by default on LDAP, AD CS, and Exchange Server to mitigate NTLM-related vulnerabilities.

Winsage

December 10, 2024

Critical Windows Zero-Day Alert: No Patch Available Yet for Users

A newly identified zero-day vulnerability in Windows allows attackers to steal NTLM credentials through methods such as opening a malicious file in Windows Explorer. This vulnerability affects multiple versions of Windows, including Windows Server 2022, Windows 11 (up to v24H2), Windows 10, Windows 7, and Server 2008 R2. The exploitation requires minimal user interaction, such as accessing shared folders or USB disks. In response, 0patch is providing a complimentary micropatch to registered users until Microsoft issues an official fix. The vulnerability is part of a larger trend of unresolved issues in Windows, and cybersecurity experts emphasize the need for enterprises to adopt robust security measures beyond automated patch management.

Winsage

December 7, 2024

New Windows 7 To 11 Warning As Zero-Day With No Official Fix Strikes

A zero-day vulnerability has been discovered by researchers at Acros Security, affecting all versions of Windows from 7 to 11 and Windows Server 2008 R2 and later. This vulnerability targets the Windows NT LAN Manager and allows attackers to obtain a user's NTLM credentials by having the user view a malicious file in Windows Explorer. Currently, there is no official patch from Microsoft. The 0patch platform has released a free "micropatch" for users to protect their systems until an official fix is available.

Winsage

December 7, 2024

All Windows 11, 10, Server versions affected by a new zero day, unofficial patch out

Windows 11's latest feature update, version 24H2, is being extended to more systems. A new zero-day vulnerability discovered by cybersecurity firm 0patch affects all Windows clients, including Windows 11 version 24H2 and various server editions, allowing attackers to steal NTLM credentials by having users view a malicious file in Windows Explorer. The vulnerability impacts all Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022. Windows Server 2025 is currently undergoing compatibility testing and is not yet affected. Microsoft is phasing out NTLM and encourages users to transition to more secure alternatives. Users can obtain a patch for the vulnerability by registering for a free account at 0patch Central.

Winsage

December 7, 2024

Micropatchers share fix for NTLM hash leak flaw in Windows

Acros Security has identified an unpatched NTLM vulnerability in Microsoft Windows, affecting versions from Windows 7 to Windows 11 v24H2, which risks credential theft. The vulnerability can be exploited through Windows Explorer when users view a malicious file, exposing their NTLM hash to remote attackers. Acros plans to release a micropatch to mitigate the risk and has contacted Microsoft regarding the issue. Historically, Acros has reported several zero-day vulnerabilities to Microsoft. The micropatching industry aims to provide more permanent solutions to security flaws, though it may introduce complications. As Windows 10 approaches retirement, IT managers may increasingly consider micropatching for system protection. Mainstream support for Windows 7 ended in 2015, with extended support concluding in 2020.

Winsage

December 6, 2024

New Windows zero-day exposes NTLM credentials, gets unofficial patch

A newly discovered zero-day vulnerability allows attackers to capture NTLM credentials from Windows users by simply viewing a malicious file in File Explorer. This flaw affects multiple Windows versions, including Windows 7, Server 2008 R2, and Windows 11 24H2, and has been reported to Microsoft, but no official fix has been issued. The exploit triggers an outbound NTLM connection to a remote share, leading to the automatic transmission of NTLM hashes associated with the logged-in user, which can be intercepted and cracked for unauthorized access. 0patch has previously reported two other unresolved vulnerabilities to Microsoft and will offer a micropatch for this issue free of charge until an official fix is provided. Users can also disable NTLM authentication as an alternative solution.

Winsage

December 6, 2024

0patch uncovers a security vulnerability in all versions of Windows — and releases free fixes

0patch has disclosed a 0day vulnerability affecting all desktop versions of Windows, including Windows Server, identified as a URL File NTLM Hash Disclosure vulnerability. This flaw impacts 21 different editions of the operating system, spanning from Windows 7 and Server 2008 R2 to Windows 11 v24H2 and Server 2022. The vulnerability allows an attacker to extract a user's NTLM credentials by having the user open a malicious file in Windows Explorer. 0patch has reported the issue to Microsoft, which has not yet provided a remedy, and has released free micropatches for all affected versions. Users can obtain the micropatch by creating a complimentary account in 0patch Central. The affected Windows editions include both legacy versions and those still receiving updates.

Winsage

December 6, 2024

Critical Windows Zero-Day Vulnerability Lets Attackers Steal Users NTLM Credentials

A significant vulnerability has been discovered that affects all versions of Windows Workstation and Server, from Windows 7 and Server 2008 R2 to Windows 11 (v24H2) and Server 2022. This flaw allows attackers to extract NTLM credentials by tricking users into opening a malicious file in Windows Explorer. The vulnerability can be exploited through shared folders, USB drives, or downloaded files. Researchers have released micropatches for affected systems, including Windows 7, Windows 10 (versions 1803 to 21H2), and fully updated versions of Windows 10 and 11, as well as various Server editions. These micropatches are available at no cost and can be applied without rebooting the system. Organizations can protect themselves by installing these micropatches through the 0patch Agent, which will continue to provide updates for unsupported Windows versions even after Microsoft's end-of-support dates.

Winsage

October 31, 2024

New Windows Theme Zero-Day Vulnerability Let Attackers Steal Credentials

Security researchers at Acros have identified a new zero-day vulnerability (CVE-2024-38030) related to Windows theme files that can lead to the potential exposure of NTLM credentials. This vulnerability affects multiple Windows platforms, including Windows 11 (version 24H2). The issue arises when a theme file specifies a network file path for certain properties, causing Windows to send authenticated network requests to remote hosts, which can result in credential leaks if a malicious theme file is used. Microsoft issued a patch for an earlier related vulnerability (CVE-2024-21320), but researchers found it insufficient for systems that had stopped receiving updates. A more comprehensive patch has been developed by researchers to address all execution paths that could lead to credential leaks, and users of the micropatch service 0patch are currently protected against this vulnerability. The micropatches are available for all supported Windows versions and some legacy versions, specifically for Windows Workstation, and not for Windows Server.

Winsage

October 31, 2024

Windows Themes 0-day opens door to NTLM credential theft

A new zero-day vulnerability has been identified that targets Windows Themes, allowing attackers to steal NTLM credentials. Acros Security has released a complimentary micropatch to address this issue. The vulnerability, identified as CVE-2024-38030, allows exploitation through a malicious theme file that tricks users into transmitting their NTLM credentials. This flaw affects all fully updated Windows versions, including Windows 11 24H2. Acros Security has reported the vulnerability to Microsoft and has created micropatches for both legacy and currently supported Windows versions. User interaction is required for the exploit to be successful, such as downloading the malicious theme file from an email or website. Users are advised to apply the micropatches promptly to improve their security.