Home » Technology » NTLM hash theft happens with file openning

NTLM hash theft happens with file openning

A newly discovered zero-day vulnerability affects all major Windows versions from Windows 7 to Windows 11. Attackers can access NTLM hashes by tricking users into viewing a specially manipulated file in Explorer.

Critical security vulnerability discovered in Windows

There is only one catch with this security hole: There is a patch, but it is unofficial – i.e. not from Microsoft. This explosive zero-day vulnerability potentially threatens millions of users from Windows 7 to the latest Windows 11 version, as well as server versions from 2008 to 2022. The vulnerability allows attackers to obtain users’ NTLM credentials.

There’s a catch, because on the one hand this login standard is considered outdated and on the other hand it is sufficient for a successful attack if the user simply displays a crafted file in Windows Explorer. Both together only make the vulnerability even more serious. Opening a shared folder, connecting a USB stick or opening the downloads folder is enough for exploitation if a manipulated file was previously stored there.

How Günter Born reports in his blog security researchers at Acros Security discovered this vulnerability and reported it to Microsoft. Details on exactly how it works are being withheld to minimize the risk of exploitation. Microsoft has not yet released an official patch. In the absence of an official update from Microsoft, Acros Security researchers have developed an unofficial micropatch. This is distributed via the so-called 0patch agent and is intended to effectively close the vulnerability.

The patch is currently available for free and will remain so until Microsoft provides an official solution. However, the use of third-party patches is not without controversy. Experts generally recommend only installing official updates from the manufacturer. In this case, however, the 0patch could represent a sensible interim solution until Microsoft reacts. Infographic Security on the Internet: Germans are afraid of data misuse

NTLM – obsolete but widely used protocol

The vulnerability affects the NTLM authentication protocol, which Microsoft has officially deprecated. However, it is still used in many Windows systems. If attackers capture an NTLM hash, they can attempt to crack the associated password or abuse the hash for further attacks. Microsoft has long been recommending that companies switch to the more modern Kerberos protocol. The current vulnerability underscores the urgency.

The problem is not new. A similarly spectacular security gap made headlines back in February. How dangerous is the gap? The zero-day vulnerability affects all Windows versions from Windows 7 to Windows 11 as well as Server 2008 to 2022. It allows attackers to access NTLM credentials. What is particularly critical is that simply viewing a crafted file in the Windows Explorer is sufficient. This can be done through various everyday actions. Is there an official fix? Microsoft has not yet released an official patch for this vulnerability.

The vulnerability was discovered by Acros Security and reported to Microsoft. As a temporary solution, an unofficial micropatch from Acros Security is available via the 0patch agent. This is free until Microsoft provides an official solution. How can I protect myself? Until an official patch is available, no unknown USB sticks should be connected and special care should be taken when opening network shares. Access to the downloads folder should be done carefully, as manipulated files could also be there. One option is to install the unofficial 0patch.

What is an NTLM hash? NTLM is an authentication protocol that Microsoft has classified as obsolete, but is still widely used. The NTLM hash contains encrypted credentials. If attackers capture such a hash, they can attempt to crack the associated password or abuse the hash for further attacks. Who is particularly at risk? Basically, all users of Windows systems are at risk, as the vulnerability can be easily exploited. The situation is particularly critical for companies.

In corporate environments, NTLM is often still used for compatibility reasons, which means the risk is particularly high there. Is 0patch trustworthy? Acros Security, the developer of 0patch, is a well-known security company. The patch is being discussed by experts as a temporary solution. However, it is generally recommended to only install official updates from the manufacturer. Use of third-party patches is at your own risk. Which systems are affected? The vulnerability affects all Windows versions from Windows 7 to the current Windows 11.

All server versions from 2008 to 2022 are also at risk. The problem is particularly far-reaching because the affected NTLM protocol is still active in many systems despite its age. Are there alternatives to NTLM? Microsoft recommends switching to the more modern Kerberos protocol, which is significantly more secure. However, a complete replacement of NTLM is often complex. It is advisable for companies to limit the use of NTLM where possible and gradually switch to more secure authentication methods.

Leave a Reply