Headline
Microsoft NTLM Zero-Day to Remain Unpatched Until April
The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice.
Source: QINQIE99 via Shutterstock
Microsoft has released fresh guidance to organizations on how to mitigate NTLM relay attacks by default, days after researchers reported finding a NTLM hash disclosure zero-day in all versions of Windows Workstation and Server, from Windows 7 to current Windows 11 versions.
However, it was not immediately clear if the two developments are related or purely coincidental in terms of timing. In any event, the bug, which doesn’t yet have a CVE or CVSS score, is not expected to be patched for months.
Windows NTLM Zero-Day Allows Credential Theft
Researchers from ACROS Security reported finding a zero-day bug in all supported Windows versions. The bug allows an attacker to grab a user’s NTLM credentials simply by getting the user to view a malicious file via the Windows Explorer file management utility.
“Opening a shared folder or USB disk with such file or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s Web page” is all it takes for credential compromise, Mitja Kolsek, CEO of ACROS Security wrote in a blog post.
ACROS said it would not release any further information on the bug until Microsoft has a fix for it. But Kolsek tells Dark Reading that an attacker’s ability to exploit the bug depends on various factors.
“It’s not easy to find where the issue is exploitable without actually trying to exploit it,” he explains. Microsoft has assessed the vulnerability as being of moderate or “Important” severity, a designation that is one notch lower than “Critical” severity bugs. The company plans to issue a fix for it in April, Kolsek says.
In an emailed comment, a Microsoft spokesman said the company is “aware of the report and will take action as needed to help keep customers protected.”
The bug is the second NTLM credential leak zero-day that ACROS has reported to Microsoft since October. The previous one involved a Windows Themes spoofing issue and allowed attackers a way to coerce victim devices into sending NTLM authentication hashes to attacker-controlled devices. Microsoft has not yet issued a patch for that bug either.
The bugs are among several NTLM-related issues that have surfaced in recent years including PetitPotam, DFSCoerce, PrinterBug/SpoolSample, and, recently, one affecting the open source policy enforcement engine.
Legacy Protocol Dangers
Windows NTLM (NT LAN Manager) is a legacy authentication protocol that Microsoft includes in modern Windows for backward compatibility purposes. Attackers have frequently targeted weaknesses in the protocol to intercept authentication requests and forward or “relay” them to access other servers or services to which the original users have access.
In its advisory this week, Microsoft described NTLM-relaying as a “popular attack method used by threat actors that allows for identity compromise.” The attacks involve coercing a victim to authenticate to an attacker-controlled endpoint and relaying the authentication against a vulnerable target server or service. The advisory pointed to vulnerabilities that attackers have used previously, such as CVE-2023-23397 in Outlook and CVE-2021-36942 in Windows LSA, to exploit service that lack protections against NTLM-relaying attacks.
In response to such attacks, Microsoft has updated previous guidance on how to enable Extended Protection for Authentication (EPA) by default on LDAP, AD CS, and Exchange Server, the company said. The latest Windows Server 2025 ships with EPA enabled by default for both AD CS and LDAP.
The advisory highlighted the need for organizations to enable EPA specially for Exchange Server, given the “unique role that Exchange Server plays in the NTLM threat landscape.” The company pointed to CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563 as examples of recent vulnerabilities that attackers have exploited for NTLM coercion purposes. “Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them,” the company says.
Kolsek says it’s unclear if Microsoft’s advice for protecting against NTLM attacks has anything to do with his recent bug disclosure. "[But] if possible, follow Microsoft’s recommendations on mitigating NTLM-related vulnerabilities," he says. “If not, consider 0patch,” he adds, referring to the free micropatches that his company provides for vulnerabilities, especially in older and no longer supported software products.
About the Author
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.
Related news
Introduction In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.
Introduction In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.
Introduction In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
By Waqas The #MonikerLink security flaw in Microsoft Outlook allows hackers to execute arbitrary code on the targeted device. This is a post from HackRead.com Read the original post: New MonikerLink Flaw Exposes Outlook Users to Data Theft and Malware
Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday.
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
A researcher found two Microsoft vulnerabilities which could be combined to achieve zero-click remote code execution.
Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available.
Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September. The two
Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.
October's CVE update is here. Here's which security vulnerabilities to patch now to exorcise your Microsoft systems demons.
Microsoft WordPad Information Disclosure Vulnerability
Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's
Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines. The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023. Akamai security
Facebook users are notoriously the biggest offenders for sharing fake news and misinformation.
The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine.
Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The
Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: March Tags: 2023 Tags: Microsoft Tags: Adobe Tags: Fortinet Tags: Android Tags: SAP Tags: CVE-2023-23397 Tags: CVE-2023-24880 Tags: CVE-2023-26360 Tags: CVE-2022-41328 This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one. (Read more...) The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.
Microsoft Outlook Elevation of Privilege Vulnerability
May 9, 2023 update: Releases for Microsoft Products has been updated with the release of CVE-2023-29324 - Security Update Guide - Microsoft - Windows MSHTML Platform Security Feature Bypass Vulnerability March 24, 2023 update: Impact Assessment has been updated to a link to Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security Blog.
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch […]
Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software. This month's patch batch includes fixes for seven "critical" flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.