Overview

In a startling development, a new zero-day vulnerability affecting all Windows versions—ranging from the aging Windows 7 to the cutting-edge Windows 11—has been unveiled. This flaw allows nefarious remote attackers to swipe NTLM (Windows NT LAN Manager) credentials by deceiving victims into opening malevolent files through Windows Explorer.

Implications of the Vulnerability

The implications of this breach are severe. NTLM credentials have long been a sought-after target for cybercriminals, often exploited in notorious NTLM relay attacks, where attackers coerce vulnerable devices to authenticate against servers they control. They also use these credentials in harrowing pass-the-hash attacks, enabling them to masquerade as the compromised user and facilitating unauthorized access to sensitive information.

Last year, Microsoft heralded plans to phase out the NTLM protocol in forthcoming versions of Windows 11, but this vulnerability has emerged as a stark reminder of the existing risks.

Discovery of the Vulnerability

Researchers at ACROS Security identified this SCF file NTLM hash disclosure flaw while crafting fixes for another related issue. Alarmingly, this zero-day vulnerability hasn’t yet been assigned a CVE-ID, raising concerns about its potential exploitation. It is a widespread threat, impacting not only end-user operating systems but also crucial server installations, including Windows Server 2008 R2 all the way through to Server 2025.

Expert Insights

Mitja Kolsek, CEO of ACROS Security, elaborated on the vulnerability, stating, “An attacker can extract a user’s NTLM credentials simply by having them view a harmful file in Windows Explorer—this could happen through accessing a malicious shared folder or a USB drive.”

Nature of the Threat

Although the vulnerability is classified as not critical and its exploitability hinges on specific circumstances—such as the attacker having network proximity to the victim or an external target—such attack vectors have been utilized in actual cyber incidents.

Micropatches Offered for Immediate Protection

In response to this discovery, ACROS Security has made free, unofficial fixes available via its 0Patch micropatching service to all affected Windows users until Microsoft issues its official remedies. Kolsek remarked, “We’ve notified Microsoft of this issue and, as per our protocol, have rolled out micropatches that will remain complimentary until Microsoft delivers an official solution.”

Installation of the micropatch requires users to create an account and install the 0Patch agent, which subsequently applies the patch automatically without necessitating a system restart—ideal for those wary of downtime.

Microsoft's Response

A Microsoft representative commented on the vulnerability, stating, “We are aware of this report and will take steps as required to ensure our customers remain protected.”

Conclusion and Recommendations

For those concerned about their cyber safety, this revelation serves as a potent reminder of the ongoing cybersecurity landscape challenges. ACROS Security has also previously reported several other zero-day vulnerabilities, some of which Microsoft has yet to address, shedding light on an urgent need for robust security measures across all platforms.

As digital threats evolve, users are encouraged to stay vigilant, keep their systems updated, and consider utilizing available patching services to shield themselves from such debilitating vulnerabilities. Protect your data before it’s too late!