Critical Windows Zero-Day Vulnerability Lets Attackers Steal Users NTLM Credentials

Security researchers have publicly revealed a newly discovered critical vulnerability that affects all Windows Workstation and Server versions, from Windows 7 and Server 2008 R2 to the latest Windows 11 (v24H2) and Server 2022.

The flaw allows attackers to obtain a user’s NTLM credentials simply by tricking them into viewing a malicious file in Windows Explorer.

This action could be triggered by opening a shared folder or USB disk containing such a file, or by accessing the Downloads folder where the malicious file might have been automatically downloaded from an attacker’s webpage.

After responsibly reporting the issue to Microsoft, the researchers have released micropatches to protect users until they provide an official fix. These micropatches are available free of charge during this interim period.

Details of the Vulnerability

We are withholding the exact technical details of the vulnerability to minimize the risk of exploitation. However, the researchers emphasize that the vulnerability could affect users across numerous versions of Windows.

This discovery marks the third zero-day vulnerability reported by the same team in recent months, following the Windows Theme file issue and the “Mark of the Web” issue on Windows Server 2012, both of which remain unpatched by Microsoft.

Additionally, the “EventLogCrasher” vulnerability, reported earlier this year, allowing an attacker to disable logging on all Windows domain computers, still lacks an official patch. Micropatches for this flaw continue to be the only available protection.

The team also highlighted three NTLM-related vulnerabilities, PetitPotam, PrinterBug/SpoolSample, and DFSCoerce that are publicly known but classified as “won’t fix” by Microsoft.

These vulnerabilities remain unpatched on fully updated Windows systems and pose a potential risk to organizations using NTLM authentication.

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Tree for Free

Availability of Micropatches

To address this newly identified zero-day vulnerability, the researchers have developed and distributed micropatches for affected Windows versions. These patches are available for both legacy and up-to-date systems, covering the following:

• Windows 7 and Server 2008 R2 (all ESU and non-ESU configurations)
• Windows 10 (versions 1803 through 21H2)
• Windows Server 2012 and Server 2012 R2 (with and without ESU)

Fully Updated Windows Versions:

• Windows 10 v22H2
• Windows 11 (versions 22H2, 23H2, and 24H2)
• Windows Server 2022, Server 2019, and Server 2016
• Windows Server 2012 and Server 2012 R2 with ESU 2

Micropatches have already been applied to affected online systems with 0patch Agent installed and registered through PRO or Enterprise accounts, unless enterprise group policies prevented this. We designed these fixes to be seamless, necessitating no system reboot.

How to Protect Your Systems

Organizations and individuals concerned about these vulnerabilities can take immediate action by installing the free micropatches offered by 0patch. To begin, follow these steps:

1. Create a Free Account: Visit 0patch Central and sign up.
2. Install 0patch Agent: Download and register the 0patch Agent software.
3. Activate Protection: Micropatches will automatically apply after registration.

0patch provides a viable solution for ongoing security updates for organizations using Windows versions that Microsoft no longer officially supports.

Notably, 0patch has committed to providing security patches for Windows 10 even after its end-of-support date in October 2025, ensuring protection for at least five additional years.

We encourage users to utilize the provided free micropatches to maintain the security of their systems. For those relying on unsupported Windows versions, 0patch offers a vital lifeline to maintain security in an increasingly risky digital landscape.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration