Critical Zero-Day Vulnerability Discovered in Windows: Zero-Day NTLM Threat

  • Thread Author
On December 6, 2024, a grave new zero-day vulnerability was unearthed, sending shivers down the spines of IT departments and cybersecurity experts alike. This flaw allows attackers to stealthily harvest NTLM (NT LAN Manager) credentials by merely tricking a user into previewing a malicious file in Windows Explorer. Surprisingly, opening the file is not even necessary; simply viewing it is enough for an attacker to seize valuable authentication credentials.

A Sneak Peek into the Vulnerability​

Discovered and disclosed by the 0patch team—a platform known for providing unofficial support for legacy Windows versions—the vulnerability has not yet received an official fix from Microsoft, despite a report being filed. Importantly, no Common Vulnerabilities and Exposures (CVE) ID is currently assigned to this threat, indicating a rather urgent situation that demands immediate attention.
This vulnerability is not confined to a select few versions but rather impacts a broad swath of Windows operating systems, stretching from the venerable Windows 7 and Server 2008 R2, all the way to the cutting-edge Windows 11 24H2 and Server 2022 versions.

The Mechanics of the Exploit​

What makes this vulnerability particularly insidious is its exploitation method; an attacker can remotely trigger an NTLM connection simply by having a victim view a specific file. This could happen through any number of scenarios: opening a shared folder that contains the malicious file, connecting a USB drive loaded with it, or navigating to a previously downloaded item in their Downloads folder.
Once the file is viewed, Windows automatically initiates an outbound NTLM connection to a remote share. This process transmits NTLM hashes from the logged-in user straight to the attacker, who can then use techniques to crack these hashes, potentially gaining access to usernames and plaintext passwords. As we have seen in the past, using NTLM for authentication comes with significant vulnerabilities that are actively exploited in various cyber attacks.

0patch's Response and What Users Should Do​

In light of the imminent risk posed by this zero-day, 0patch has decided not to release specific technical details about the vulnerability until Microsoft issues an official patch, in order to prevent further exploitation. However, the organization is actively offering a free micropatch to all users registered on its platform. For those with PRO and Enterprise accounts, the micropatch has already been applied automatically—unless the system’s configurations prevent such actions.
To obtain this micropatch, users can create a free account on the 0patch Central platform, initiate a free trial, install the agent, and allow it to automatically apply the necessary patches. This process does not require a system reboot, making it a relatively painless option for users concerned about their security.

Alternatives: Disabling NTLM Authentication​

For users reluctant to implement the unofficial patch, there exists the option to disable NTLM authentication altogether via group policy settings. Navigate to Security Settings > Local Policies > Security Options, and configure the "Network security: Restrict NTLM" policies. This step can also be executed through registry modifications, providing a layer of security against this newly uncovered vulnerability.

Concerns Over Unresolved Vulnerabilities​

Alarmingly, this incident comes on the heels of two other zero-day vulnerabilities that 0patch reported to Microsoft without prompt resolution: a Mark of the Web (MotW) bypass affecting Windows Server 2012 and a Windows Themes vulnerability that enabled drifted NTLM credentials. The persistence of unresolved vulnerabilities highlights the broader issue plaguing security in the Microsoft ecosystem, adding to the urgency for both patching and possibly reconsidering reliance on outdated authentication methods.

The Future of NTLM​

Given that Microsoft has publicly discussed its intent to phase out NTLM authentication protocols in future iterations of Windows 11, this vulnerability underscores the necessity of accelerating that transition. Organizations still relying on NTLM for intra-office communications and user authentication must remain vigilant, as the strategies deployed by attackers are growing increasingly sophisticated.

Wrap-Up​

In a world increasingly dominated by digital threats, staying informed is your best defense. The discovered zero-day vulnerability not only poses a significant risk to Windows users across multiple versions but also calls into question the vulnerabilities inherent in legacy authentication methods. As Microsoft evaluates its response, users should take action, either by applying 0patch's micropatch or disabling NTLM to mitigate risks.
As always, remain in the loop on future security updates and advisories to protect your data and credentials. Keep your systems armored against unwanted guests, because in the realm of cybersecurity, an ounce of prevention truly is worth a pound of cure.

Source: BleepingComputer New Windows zero-day exposes NTLM credentials, gets unofficial patch