Micropatchers share 1-instruction fix for NTLM hash leak flaw in Windows 7+
(2024/12/07)
- Reference: 1733528058
- News link: https://www.theregister.co.uk/2024/12/06/opatch_zeroday_microsoft/
- Source link:
Updated Acros Security claims to have found an unpatched bug in Microsoft Windows 7 and onward that can be exploited to steal users' OS account credentials.
The flaw-finding biz – which develops and releases unofficial "micropatches" to close holes in software that vendors won't address – says this particular bug is an NTLM vulnerability.
We're told victims who view a maliciously crafted file in vulnerable versions of Windows Explorer may have their NTLM hash leaked, presumably to a remote miscreant via the network. Exact details of how this bug can be exploited have understandably not yet been disclosed; we're not aware of it being under attack yet, either.
[1]
For those interested, how this type of bug manifests in Windows and how this class of flaw is exploited in general was explained [2]neatly here late last month by Morphisec with examples. Leaked NTLM credential hashes can be used to authenticate as users or cracked to reveal their plaintext passwords, potentially.
[3]
[4]
According to Acros on Thursday, this latest flaw affects all systems from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022.
"The vulnerability allows an attacker to obtain user's NTLM credentials by simply having the user view a malicious file in Windows Explorer - eg, by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page," [5]said CEO Mitja Kolsek.
[6]
Acros, which says it has contacted Microsoft about the bug, will be issuing a one-processor-instruction binary micropatch to fix the problem, which will be free until Redmond releases an official fix. Until then, as we said, it's keeping quiet about the details. The Windows slinger had no comment at the time of going to press.
It could be that Microsoft thinks the issue isn't serious enough to fix. Acros has reported several zero-days to the tech giant in the past, including a [7]similar NTLM-related issue with Windows Themes in October and a [8]Mark of the Web problem in Server 2012 products in the following month.
Also while the unofficial micropatch being one instruction in size suggests it is a small fix in software engineering terms, even a tiny change like that needs to be thoroughly tested to make sure it doesn't break existing software below and above the kernel-userspace fold.
[9]Windows Themes zero-day bug exposes users to NTLM credential theft
[10]Microsoft's Jet crash: Zero-day flaw drops after deadline passes
[11]Do you really think crims would do that? Just go on the 'net and exploit a Windows zero-day?
[12]Windows 10 given an extra year of supported life, for $30
Micropatching is an interesting industry. It caters to organizations that want more than short-term mitigations, and wish to address the root cause of a security flaw, with or without an official update from a supplier. A micropatch that overwrites a few instructions at the heart of a bug to shut down the risk may be just the ticket, provided it's gone through sufficient testing by the client as well as the micropatch issuer.
As miraculous as they may sound, micropatches have been known to cause their own problems. But with less than a year to go before Windows 10 is retired and sent to a beautiful bit barn in the country where it can roam freely, some IT managers looking to keep the OS safe may resort to micropatches in future.
[13]
Microsoft will, of course, be happy to sell you extended support for Windows 10. Previously this was not available to normal folk, but [14]that changed in October when Microsoft introduced a single-year option for $30. Enterprise users will initially pay $61 per device, rising to $244 by year three. Education buyers get a break, with the package costing a total of $7 for three years of support.
As for Windows 7, mainstream support ended in 2015, extended support in 2020, and support for some embedded uses in 2021. ®
Updated to add at 0254 UTC
Microsoft got back to us simply to say: "We are investigating this report and will take action as needed to help keep customers protected.”
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1PWeoV9VxBt4bCF0Gq5jQAAAIM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://blog.morphisec.com/5-ntlm-vulnerabilities-unpatched-privilege-escalation-threats-in-microsoft
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1PWeoV9VxBt4bCF0Gq5jQAAAIM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1PWeoV9VxBt4bCF0Gq5jQAAAIM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://blog.0patch.com/2024/12/url-file-ntlm-hash-disclosure.html
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1PWeoV9VxBt4bCF0Gq5jQAAAIM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/10/30/zeroday_windows_themes/
[8] https://blog.0patch.com/2024/11/windows-server-2012-mark-of-web.html
[9] https://www.theregister.com/2024/10/30/zeroday_windows_themes/
[10] https://www.theregister.com/2018/09/20/microsoft_jet_database_zero_day/
[11] https://www.theregister.com/2018/09/06/microsoft_windows_attacked_wild/
[12] https://www.theregister.com/2024/10/31/microsoft_windows_10_support/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1PWeoV9VxBt4bCF0Gq5jQAAAIM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2024/10/31/microsoft_windows_10_support/
[15] https://whitepapers.theregister.com/
The flaw-finding biz – which develops and releases unofficial "micropatches" to close holes in software that vendors won't address – says this particular bug is an NTLM vulnerability.
We're told victims who view a maliciously crafted file in vulnerable versions of Windows Explorer may have their NTLM hash leaked, presumably to a remote miscreant via the network. Exact details of how this bug can be exploited have understandably not yet been disclosed; we're not aware of it being under attack yet, either.
[1]
For those interested, how this type of bug manifests in Windows and how this class of flaw is exploited in general was explained [2]neatly here late last month by Morphisec with examples. Leaked NTLM credential hashes can be used to authenticate as users or cracked to reveal their plaintext passwords, potentially.
[3]
[4]
According to Acros on Thursday, this latest flaw affects all systems from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022.
"The vulnerability allows an attacker to obtain user's NTLM credentials by simply having the user view a malicious file in Windows Explorer - eg, by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page," [5]said CEO Mitja Kolsek.
[6]
Acros, which says it has contacted Microsoft about the bug, will be issuing a one-processor-instruction binary micropatch to fix the problem, which will be free until Redmond releases an official fix. Until then, as we said, it's keeping quiet about the details. The Windows slinger had no comment at the time of going to press.
It could be that Microsoft thinks the issue isn't serious enough to fix. Acros has reported several zero-days to the tech giant in the past, including a [7]similar NTLM-related issue with Windows Themes in October and a [8]Mark of the Web problem in Server 2012 products in the following month.
Also while the unofficial micropatch being one instruction in size suggests it is a small fix in software engineering terms, even a tiny change like that needs to be thoroughly tested to make sure it doesn't break existing software below and above the kernel-userspace fold.
[9]Windows Themes zero-day bug exposes users to NTLM credential theft
[10]Microsoft's Jet crash: Zero-day flaw drops after deadline passes
[11]Do you really think crims would do that? Just go on the 'net and exploit a Windows zero-day?
[12]Windows 10 given an extra year of supported life, for $30
Micropatching is an interesting industry. It caters to organizations that want more than short-term mitigations, and wish to address the root cause of a security flaw, with or without an official update from a supplier. A micropatch that overwrites a few instructions at the heart of a bug to shut down the risk may be just the ticket, provided it's gone through sufficient testing by the client as well as the micropatch issuer.
As miraculous as they may sound, micropatches have been known to cause their own problems. But with less than a year to go before Windows 10 is retired and sent to a beautiful bit barn in the country where it can roam freely, some IT managers looking to keep the OS safe may resort to micropatches in future.
[13]
Microsoft will, of course, be happy to sell you extended support for Windows 10. Previously this was not available to normal folk, but [14]that changed in October when Microsoft introduced a single-year option for $30. Enterprise users will initially pay $61 per device, rising to $244 by year three. Education buyers get a break, with the package costing a total of $7 for three years of support.
As for Windows 7, mainstream support ended in 2015, extended support in 2020, and support for some embedded uses in 2021. ®
Updated to add at 0254 UTC
Microsoft got back to us simply to say: "We are investigating this report and will take action as needed to help keep customers protected.”
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1PWeoV9VxBt4bCF0Gq5jQAAAIM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://blog.morphisec.com/5-ntlm-vulnerabilities-unpatched-privilege-escalation-threats-in-microsoft
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1PWeoV9VxBt4bCF0Gq5jQAAAIM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1PWeoV9VxBt4bCF0Gq5jQAAAIM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://blog.0patch.com/2024/12/url-file-ntlm-hash-disclosure.html
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1PWeoV9VxBt4bCF0Gq5jQAAAIM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/10/30/zeroday_windows_themes/
[8] https://blog.0patch.com/2024/11/windows-server-2012-mark-of-web.html
[9] https://www.theregister.com/2024/10/30/zeroday_windows_themes/
[10] https://www.theregister.com/2018/09/20/microsoft_jet_database_zero_day/
[11] https://www.theregister.com/2018/09/06/microsoft_windows_attacked_wild/
[12] https://www.theregister.com/2024/10/31/microsoft_windows_10_support/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1PWeoV9VxBt4bCF0Gq5jQAAAIM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2024/10/31/microsoft_windows_10_support/
[15] https://whitepapers.theregister.com/
Micropatch
Anonymous Coward
"will be issuing a one-processor-instruction binary micropatch"
Good for some users.
Better to reverse engineers who will now see in which DLL/SYS the vulnerability is and develop the 1day themselves.
Ace2
How does this work with code signing?
Anonymous Coward
Well, the official signed binary is defective and Microsoft signs bad code on a Monthly basis. Do what you will.
0patch for the win!
If you are a personal user, and want to be on the Up-and-Up, the path of least resistance is to get the ESU until 2026, then 0patch until 2028, and then re-evaluate your options.
You may want to be on the Up-and-Up either because your moral compass is strong, or because your work demands you to be on the Up-and-Up (say, you work in industries regulated by the HIIPA,PCI, GDPR, etc)
There are options to get 3 years ESU, or LTSC2019 for us normal folk, without going to the high seas, or bending the license so much it becomes a pretzel, but those are fortuitous or very convoluted.
And better not talk about LTSC IoT 2021