A worrying vulnerability has just been revealed by a cybersecurity research team. It would affect all versions of the operating system and could be exploited by displaying a simple file in Windows Explorer.
A team of cybersecurity researchers from the company ACROS Security has just revealed a flaw affecting almost all versions of Windows currently in circulation, from Windows 7 to 11 for desktop versions, and from Windows Server 2008 to 2022 for server versions . This vulnerability is of type “0-day”, which means that it has just been revealed and that it has not yet been assigned a CVE number, for Common Vulnerabilities and Exposuresa public collection of information and documentation on known computer vulnerabilities.
As the authors of this discovery explain on a page of the Opatch blog dedicated to this subjectthe vulnerability concerns Microsoft’s NTLM protocol and allows an attacker to recover sensitive data. More precisely, the exploitation of the flaw makes it possible to intercept the hash identifiers exchanged between a client and a server which communicates on a network via the NTLM protocol. Obtaining the hash could make it possible to find the original password by brute force, even if it is unlikely, but above all to carry out “authentication relay” attacks.
What seems particularly worrying in light of ACROS Security’s statements is the attack vector used to exploit this security flaw. According to the company, it would be enough for the user to view a file in Windows Explorer, without even opening it, for the vulnerability to be exploited. Displaying a simple file in a shared folder on a server, on a USB key or an external drive could therefore be enough to trigger data theft. If this flaw is scary on paper, its scale must nevertheless be put into perspective, at least for the moment.
What is NTLM and where is it used?
NTLM, for New Technology LAN Manageris an authentication protocol used on Windows computer networks. This security mechanism allows servers to verify the identity of clients who send them requests, while guaranteeing the confidentiality of the identifiers. When a client computer attempts to access remote resources, the server computer asks it a “question”, which the client can only answer using a password.
However, the client computer does not transmit its password in clear text over the network, but only the hash of the latter (the result of a mathematical treatment which can only be carried out in one direction). Thus the server computer can authenticate the client computer with certainty, without compromising its identifiers. NTLM has been considered obsolete by Microsoft since summer 2023 and the company recommends using the newer and more secure Kerberos authentication protocol instead.
However, the NTLM protocol is still widely used on corporate networks, on certain online services, and on certain home networks equipped with small NAS type servers. The discovery of a technique for stealing hash identifiers transmitted via NTLM should therefore not be taken completely lightly, although no proof of its active exploitation is known at the moment.
How do I know if my computer uses the NTLM protocol?
The answer to this question is not easy and requires the use of a combination of tools and methods. To find out if your computer is communicating with remote servers or services using the NTLM protocol, you can use network traffic analysis software like WireSharkby applying a filter to the data flows and packets exchanged with the NTLM protocol.
You can also check the documentation for hardware and software you use in your home, such as a NAS server, to see if they support and use the NTLM protocol for network communication. You can also consult Group Policies and the Windows Registry to find applications or services that use the NTLM protocol, but these sources are unfortunately difficult to exploit for a user with little or no experience.
How to protect yourself from the NTLM protocol flaw?
The flaw discovered by OPactch has just been revealed and transmitted to Microsoft, which has not yet published a security patch to date. Since the NTLM protocol is considered obsolete by Microsoft itself, and the company recommends that all developers and users migrate to the Kerberos protocol, it is uncertain whether a fix will be offered.
The group of researchers behind the discovery proposes an unofficial patch, “free” download for the moment. We put the phrase in parentheses because the company says on the dedicated page for this topic that to get the patch you need to “create a free account in 0patch Central, start a free trial, then install and register 0patch Agent.” .
Given that it is a commercial company whose activity is to provide security services for systems for which Microsoft has stopped maintaining, this “free patch” could be a sort of loss leader, for encourage worried users to subscribe to paid offers. As it stands, I’m not sure whether this official fix is useful or necessary for everyone.
For ordinary Windows users, the recommendations are therefore limited to being careful when consulting and retrieving resources online or on a local network. Do not download anything, do not open a strange directory on a shared folder, do not plug in a USB key or external disk of dubious origin, do not run unknown programs. In short, the usual good practices with a computer.