Researchers at 0patch have uncovered a zero-day vulnerability affecting all supported versions of Windows Workstation and Server, from Windows 7 and Server 2008 R2 to the latest Windows 11 (v24H2) and Server 2022. This critical vulnerability enables attackers to capture users' NTLM credentials simply by tricking them into viewing a malicious file in Windows Explorer.
The flaw allows an attacker to extract NTLM credentials if the victim views a malicious file in Windows Explorer, such as when opening a shared folder, inserting a USB device, or navigating to the Downloads folder where the malicious file may have been placed via an attacker’s website. This technique does not require the user to open or execute the file — merely viewing it is sufficient.
While 0patch has reported the issue to Microsoft, details about the vulnerability remain undisclosed to minimize the risk of exploitation until an official fix is released. In the meantime, 0patch has developed and distributed free micropatches for the vulnerability.
This discovery marks the third zero-day vulnerability recently identified by 0patch. Previously reported issues include a Windows Theme file vulnerability that still awaits an official patch from Microsoft and a ‘Mark of the Web’ bypass on Server 2012, which also remains unresolved.
Additionally, the “EventLogCrasher” vulnerability, reported earlier this year by security researcher Florian, has still not been addressed by Microsoft. It allows attackers to disable event logging across all domain computers. 0patch provides the only available patches for these flaws.
The NTLM protocol, frequently targeted by attackers, suffers from several known issues that Microsoft has declined to patch. These include:
- PetitPotam
- PrinterBug/SpoolSample
- DFSCoerce
Despite Microsoft’s decision, 0patch offers protection for these “won't fix” vulnerabilities, emphasizing its role as a critical resource for organizations relying on NTLM.
Unofficial fix available
Micropatches for this zero-day vulnerability are free until Microsoft releases an official update. The patches cover:
Legacy Systems: Including Windows 7 and Server 2008 R2 without Extended Security Updates (ESU).
Fully Updated Systems: Covering the latest versions of Windows 10, Windows 11, and supported Windows Servers.
Organizations running outdated Windows systems or relying on NTLM authentication face significant risks from unpatched vulnerabilities. 0patch currently protects about 40% of its users against both zero-days and vulnerabilities Microsoft no longer supports.
Users are recommended to follow these steps
- Register at 0patch Central and install the 0patch Agent to protect your systems.
- Disable NTLM where possible and transition to more secure authentication protocols.
- Restrict access to shared folders and USB devices, and enforce strict download controls.
CyberInsider has contacted Microsoft about the issue but a comment wasn’t immediately available.
New Android Spyware Used by Russian State-Backed Entities Found
Sooooo….you are making the claim that this is a new vulnerability, and not the one that was patched almost a month ago by MS?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43451
I mean, come on now. The odds that two vulnerabilities, with the SAME exact outcome, being discovered just a month apart?
Nah, 0Patch wouldn’t lie about that, would they? Noooooooo…..
re: Anonymous #2 “…You get the point.” – Well said. Wish I could just upvote. 🙂
I like the hint of disdain for Microsoft in this article . The reason they have declined too fix it is because security updates dont apply too older versions of Windows ; it will likely get patched on Windows 11.
I dont really care as I dont even own a machine with Winblows on it . Unless you do VERY specific work , like CAD programming , you should divorce Windows and opt for Linux .
in case anyone is wondering, i use arch linux
This is a very arrogant and simplistic view of the current IT world. IT staff struggle to get users to understand Windows… an operating system that’s been around for nearly 40 years with a UI. And you’re expecting everyone to just… transition to Linux?
You would immediately lose most of your productive apps or be restricted to web-versions only. Most of the developed workforce around Windows Systems Administration would be useless in your hiring pool. You’re going to need someone familiar with Linux (broadly) and your flavor of Linux.
The cost for something like this would easily be in the hundreds of thousands for even a small company. Millions, if not more if you have anything reasonable complex. Then factor in all of the lost productivity as users re-learn a completely new set of tools.
Also: “The reason they have declined too fix it is because security updates dont apply too older versions of Windows [sic].”
Pretty much all vendors do this. Apple doesn’t maintain their original desktops. Linux doesn’t support their original kernel. Linux distros like Red Hat don’t maintain old versions RHEL 4, 5, 6, and 7 being deprecated). You get the point.
I completely agree with you right up to the point where MS is notified of the issue and refuses to do anything about it.
IMHO… at the date and time of notification, MS should become legally liable for any and all damages arising from the vulnerability….
Put this in the legal precedence and I bet they (MS) will start patching PDQ!