Security researchers have unveiled a significant vulnerability that impacts all versions of Windows Workstation and Server, spanning from Windows 7 and Server 2008 R2 to the latest iterations, including Windows 11 (v24H2) and Server 2022. This flaw enables attackers to extract a user’s NTLM credentials merely by deceiving them into opening a malicious file within Windows Explorer.
The exploitation can occur through various means, such as accessing a shared folder or USB drive containing the harmful file, or by visiting the Downloads folder where the file may have been inadvertently downloaded from a malicious website.
After responsibly notifying Microsoft about this issue, the researchers have proactively released micropatches to safeguard users until an official fix is made available. These micropatches are provided at no cost during this interim period.
Details of the Vulnerability
While the specific technical details of the vulnerability are being withheld to reduce the risk of exploitation, the researchers underscore that it poses a threat to users across a wide range of Windows versions. This marks the third zero-day vulnerability identified by the same research team in recent months, following the Windows Theme file issue and the “Mark of the Web” vulnerability on Windows Server 2012, both of which remain unaddressed by Microsoft.
Moreover, the earlier reported “EventLogCrasher” vulnerability, which allows an attacker to disable logging on all Windows domain computers, still lacks an official patch. Currently, micropatches are the only available defense against this flaw.
The research team also pointed out three NTLM-related vulnerabilities—PetitPotam, PrinterBug/SpoolSample, and DFSCoerce—that are publicly known but categorized as “won’t fix” by Microsoft. These vulnerabilities persist unpatched on fully updated Windows systems, posing a potential risk for organizations utilizing NTLM authentication.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses
Availability of Micropatches
In response to this newly identified zero-day vulnerability, the researchers have crafted and distributed micropatches for the affected Windows versions. These patches cater to both legacy and current systems, encompassing:
- Windows 7 and Server 2008 R2 (all ESU and non-ESU configurations)
- Windows 10 (versions 1803 through 21H2)
- Windows Server 2012 and Server 2012 R2 (with and without ESU)
Fully Updated Windows Versions:
- Windows 10 v22H2
- Windows 11 (versions 22H2, 23H2, and 24H2)
- Windows Server 2022, Server 2019, and Server 2016
- Windows Server 2012 and Server 2012 R2 with ESU 2
Micropatches have already been implemented on affected online systems equipped with the 0patch Agent, provided they are registered through PRO or Enterprise accounts, unless restricted by enterprise group policies. These fixes are designed for seamless application, requiring no system reboot.
How to Protect Your Systems
Organizations and individuals concerned about these vulnerabilities can take immediate steps by installing the complimentary micropatches offered by 0patch. To get started, follow these simple steps:
- Create a Free Account: Visit 0patch Central and sign up.
- Install 0patch Agent: Download and register the 0patch Agent software.
- Activate Protection: Micropatches will automatically apply after registration.
0patch presents a practical solution for ongoing security updates for organizations using Windows versions that Microsoft no longer officially supports. Notably, 0patch has pledged to provide security patches for Windows 10 even after its end-of-support date in October 2025, ensuring protection for at least five additional years.
Users are encouraged to take advantage of the free micropatches to uphold the security of their systems. For those relying on unsupported Windows versions, 0patch serves as a crucial resource to maintain security in an increasingly perilous digital environment.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
