ACROS Security researchers have identified a new security flaw in Windows code. The vulnerability allows an attacker to obtain a user's NTLM credentials, experts say. These are NTLM (New Technology LAN Manager) credentials, the authentication protocol developed by Microsoft to verify user identities. These are hashes of user passwords, which are stored on the operating system. They are used during the authentication process to validate the user's identity without having to transmit the password in clear text over the network. The protocol was developed in the 1990s.
A malicious file in Windows Explorer
To get their hands on these credentials, attackers must convince the target to "view a malicious file" in Windows Explorer. For example, attackers can use "opening a malicious file located in a shared folder or on a USB flash drive" USB, or opening the Downloads folder where this file would have been automatically downloaded from the attacker's website..
ACROS Security researchers admit that exploitation of the flaw, the details of which have not been disclosed, depends on "several factors.". This includes that "the attacker is already in the victim's network" or use the intercepted credentials to authenticate to a public Exchange server. All versions of Windows, from Windows 7 to the most recent versions of Windows 11, as well as from Windows Server 2008 R2 to Windows Server 2025, are affected.
This is not the first time that a threat has loomed over NTLM credentials. In the past, many cybercriminals have relied on the authentication protocol to conduct cyberattacks. A flaw in NTLM hashes has been patched last month. As ACROS Security points out, NTLM vulnerabilities have been proven to be exploited in attacks.
Faced with numerous identified abuses, Microsoft has announced its intention to discontinue the protocol. Microsoft states that all versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer under active development and are considered obsolete. In addition, the publisher has begun removing NTLM from recent versions of Windows. Future versions of Windows 11 will be without it.
An unofficial patch is available
Fearing that cybercriminals will exploit the NTLM security flaw, ACROS Security has posted an unofficial Windows patch on its website. This patch, which takes the form of several micropatches, will remain free "until Microsoft has provided an official patch." Simply visit the 0Patch micropatching service to obtain the patches.
In a response to Bleeping Computer, Microsoft has pledged to take "the necessary measures to protect customers". The American group has not provided further details on the deployment date of an update. Windows Day.
Source: 0Patch
0 Comments