Micropatchers share 1-instruction fix for NTLM hash leak flaw in Windows 7+
Acros Security claims to have found an unpatched bug in Microsoft Windows 7 and onward that can be exploited to steal users’ OS account credentials.
The flaw-finding biz – which develops and releases unofficial “micropatches” to close holes in software that vendors won’t address – says this particular bug is an NTLM vulnerability.
We’re told victims who view a maliciously crafted file in vulnerable versions of Windows Explorer may have their NTLM hash leaked, presumably to a remote miscreant via the network. Exact details of how this bug can exploited have understandably not yet been disclosed; we’re not aware of it being under attack yet, either.
For those interested, how this type of bug manifests in Windows and how this class of flaw is exploited in general was explained neatly here late last month by Morphisec with examples. Leaked NTLM credential hashes can be used to authenticate as users or cracked to reveal their plaintext passwords, potentially.
According to Acros on Thursday, this latest flaw affects all systems from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022.
“The vulnerability allows an attacker to obtain user’s NTLM credentials by simply having the user view a malicious file in Windows Explorer – eg, by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page,” said CEO Mitja Kolsek.
Acros, which says it has contacted Microsoft about the bug, will be issuing a one-processor-instruction binary micropatch to fix the problem, which will be free until Redmond releases an official fix. Until then, as we said, it’s keeping quiet about the details. The Windows slinger had no comment at the time of going to press.
It could be that Microsoft thinks the issue isn’t serious enough to fix. Acros has reported several zero-days to the tech giant in the past, including a similar NTLM-related issue with Windows Themes in October and a Mark of the Web problem in Server 2012 products in the following month.
Micropatching is an interesting industry. It caters to organizations that want more than short-term mitigations, and wish to address the root cause of a security flaw, with or without an official update from a supplier. A micropatch that overwrites a few instructions at the heart of a bug to shut down the risk may be just the ticket, provided it’s gone through sufficient testing by the client as well as the micropatch issuer.
As miracle as they may sound, micropatches have been known to cause their own problems. But with less than a year to go before Windows 10 is retired and sent to a beautiful bit barn in the country where it can roam freely, some IT managers looking to keep the OS safe may resort to micropatches in future.
Microsoft will, of course, be happy to sell you extended support for Windows 10. Previously this was not available to normal folk, but that changed in October when Microsoft introduced a single-year option for $30. Enterprise users will initially pay $61 per device, rising to $244 by year three. Education buyers get a break, with the package costing a total of $7 for three years of support.
As for Windows 7, mainstream support ended in 2015, extended support in 2020, and support for some embedded uses in 2021. ®
READ MORE HERE