Full Report
Free unofficial patches are available for a new Windows zero-day vulnerability that can let remote attackers steal NTLM credentials by tricking targets into viewing malicious files in Windows Explorer. [...]
Analysis Summary
# Vulnerability: Windows Zero-Day NTLM Hash Disclosure
## CVE Details
- CVE ID: Not explicitly provided for the new flaw (It is a zero-day).
- CVSS Score: Not explicitly provided.
- CWE: Likely related to Credential Access (e.g., CWE-307: Improper Restriction of Impersonation).
## Affected Systems
- Products: Windows operating systems.
- Versions: All affected Windows versions (details not specified in the summary, but implied to be numerous since 0patch issued patches for multiple versions).
- Configurations: Unknown, but likely related to NTLM usage.
## Vulnerability Description
A newly discovered zero-day vulnerability exists in Windows that allows an attacker to potentially leak NTLM hashes from the compromised system without requiring administrator privileges. The mechanism seems to be similar to previously disclosed NTLM relay/disclosure flaws, though specific technical details are being withheld pending an official Microsoft patch.
## Exploitation
- Status: Zero-day, under active exploitation or potential exploitation. Details being withheld by researchers to prevent wider abuse.
- Complexity: Likely Low to Medium, given the context of previous similar NTLM vulnerabilities (like PetitPotam).
- Attack Vector: Implied to be network-based, potentially involving resource access or connection attempts susceptible to NTLM authentication challenges.
## Impact
- Confidentiality: High (NTLM hashes can be cracked offline or relayed for authentication).
- Integrity: Potentially High (If hashes are compromised, attackers may gain unauthorized network access).
- Availability: Low (Direct impact on system availability is unlikely, focusing primarily on credential compromise).
## Remediation
### Patches
- **Official Patch:** None specified by Microsoft at the time of the report.
- **Unofficial Patch:** 0Patch has released micropatches for all affected Windows versions via their 0Patch micropatching service.
### Workarounds
- Users should monitor for official advisories from Microsoft.
- **Mitigation via 0Patch Agent:** Install the 0patch agent, which automatically applies the micropatch without requiring a system restart (unless blocked by custom policy).
- *Note: Given the nature of NTLM disclosure, disabling NTLM entirely or enforcing Kerberos where possible might be a long-term defense, though this is not explicitly mentioned as an immediate workaround.*
## Detection
- **Indicators of Compromise (IOCs):** Not detailed, as technical exploit specifics are withheld.
- **Detection Methods and Tools:** Security teams should monitor for outbound connections attempting NTLM negotiation to untrusted servers or unusual network traffic patterns related to authentication requests immediately preceding potential credential exposure events.
## References
- Vendor Advisories: Microsoft advisory pending.
- Relevant Links:
- bleepingcomputer com/news/security/new-windows-zero-day-leaks-ntlm-hashes-gets-unofficial-patch/
- 0patch micropatching service: 0patch com
- 0patch agent installation: central 0patch com