A critical zero-day vulnerability has recently been discovered in all versions of Windows, from Windows 7 to the latest Windows 11 updates. This flaw allows attackers to steal NTLM credentials without user interaction, simply by accessing a malicious file on the system. The scope of this vulnerability is particularly worrying as it affects Windows desktops and servers, a window of opportunity for large-scale targeted attacks.
A zero-day security flaw affecting all versions of Windows OS
If you haven’t yet received the feature update for Windows 11 version 24H2, in its first round of releases, it may be time to check your updates. Microsoft announced yesterday that the rollout of this update has now been extended to more systems. However, the update also brings some important bad News on the security front.
On the same day, the 0patch team warned of the discovery of a zero-day vulnerability in Windows, enabling attackers to steal NTLM credentials via malicious files. This vulnerability affects all versions of Windows and server editions. 0patch researchers have identified the flaw, which allows an attacker to retrieve NTLM credentials simply by displaying a malicious file in Windows Explorer, whether via a shared folder, USB drive or even the Downloads folder, if the file has been downloaded automatically from a malicious web page. Microsoft has been informed of the situation and users are strongly encouraged to apply security updates as soon as they become available.
An unofficial patch has been released by the 0patch team
The 0patch team, which specializes in the creation of unofficial patches, recently uncovered a zero-day vulnerability that could compromise the security of Windows users. The problem is alarmingly simple: all a user has to do is view a malicious file in Windows Explorer, and their NTLM credentials are captured. This attack can occur in common scenarios, such as opening a shared folder, connecting a malicious USB stick, or simply consulting the Downloads folder, if a booby-trapped file has been previously downloaded.
NTLM credentials are used for authentication on Windows systems. When stolen, attackers can either impersonate the user, or attempt to recover the cleartext password by brute force. This flaw joins a worrying series of similar vulnerabilities discovered in 2024, underlining the persistence of threats targeting Windows infrastructure.
Although Microsoft has been informed of this vulnerability, no official patch has yet been released. This delay in Microsoft’s response echoes other unpatched vulnerabilities, such as PetitPotam and PrinterBug. While waiting for an official solution, 0patch has developed an unofficial patch, available free of charge. This temporary patch is particularly recommended for sensitive systems, until a permanent solution is available.
NTLM protocol gradually phased out as obsolete and vulnerable
This problem comes at a time when Microsoft is considering phasing out the NTLM protocol, deemed obsolete and vulnerable. The company is now encouraging migration to more secure, modern authentication solutions. While waiting for the official patch, users are advised to be vigilant, particularly when browsing shared folders or connecting external devices.
