A newly uncovered zero-day vulnerability poses a significant threat to Windows users, enabling attackers to capture NTLM credentials with alarming ease. This flaw, identified by the 0patch team—known for their unofficial support of outdated Windows versions—was promptly reported to Microsoft. However, as of now, no official remedy has been issued.
According to 0patch, this vulnerability, which lacks a CVE ID, affects a wide range of Windows versions, spanning from Windows 7 and Server 2008 R2 to the latest iterations, including Windows 11 24H2 and Server 2022.
A clickless exploit
In a strategic move, 0patch has chosen to withhold the technical specifics of this zero-day vulnerability until Microsoft can provide a formal fix, aiming to prevent potential exploitation in the wild. The mechanics of the attack are disturbingly straightforward: merely viewing a specially crafted malicious file in File Explorer is sufficient—no need to open the file itself.
As articulated by 0patch, “The vulnerability allows an attacker to obtain [the] user’s NTLM credentials by simply having the user view a malicious file in Windows Explorer—e.g., by opening a shared folder or USB disk containing such a file, or by viewing the Downloads folder where such a file was previously downloaded from the attacker’s web page.”
While 0patch refrains from divulging further details, sources from BleepingComputer reveal that the exploit triggers an outbound NTLM connection to a remote share. This action compels Windows to automatically transmit NTLM hashes associated with the logged-in user, which can then be intercepted by the attacker. These hashes, as demonstrated in previous incidents, can be cracked, granting unauthorized access to usernames and plaintext passwords. Notably, Microsoft had announced plans to phase out the NTLM authentication protocol in future updates of Windows 11.
0patch emphasizes that this marks the third zero-day vulnerability they have reported to Microsoft without prompt action from the vendor. The other two vulnerabilities include a Mark of the Web (MotW) bypass on Windows Server 2012, disclosed late last month, and a Windows Themes vulnerability that facilitates remote NTLM credential theft, revealed in late October. Both issues remain unresolved.
Additionally, 0patch highlights that other previously disclosed NTLM hash disclosure vulnerabilities, such as PetitPotam, PrinterBug/SpoolSample, and DFSCoerce, also lack official fixes in the latest Windows versions, leaving users reliant on 0patch’s micropatches for protection.
Micropatch availability
In response to this latest discovery, 0patch will offer its micropatch free of charge to all users registered on its platform until Microsoft releases an official fix. Users with PRO and Enterprise accounts have already received the security micropatch automatically, unless their settings explicitly prevent this.
To obtain the patch, users can create a free account on 0patch Central, initiate a free trial, and install the agent, which will automatically apply the necessary micropatches without requiring a reboot.
For those hesitant to implement the unofficial patch from 0patch, an alternative is available: disabling NTLM authentication through Group Policy under ‘Security Settings > Local Policies > Security Options,’ and adjusting the “Network security: Restrict NTLM” policies. Registry modifications can also achieve similar results.
BleepingComputer has reached out to Microsoft for insights regarding the vulnerability and its plans for remediation, but a response is still pending.
