Zero-day Windows NTLM hash vulnerability gets patched by third-party — credentials can be hijacked by merely viewing a malicious file in File Explorer

Back in June 2023, Microsoft officially announced it had deprecated support for its New Technology LAN Manager authentication protocol, which debuted in 1993 with Windows NT 3.1. It advised users to upgrade to Windows Negotiate but unfortunately, modern TLM vulnerabilities are still targeted at machines from Windows 7/Server 2008 R2 to Windows 11 Version 24H2 and Server 2022, and 0Patch recently discovered a new NTLM vulnerability that allows credential hijacking from merely viewing an infected folder, not even requiring the file to be directly opened.

While newer versions of Windows like Windows 11 will likely see a patch for this exploit in the coming weeks or months, older versions of Windows like Windows 7 are in particular danger. Windows 10 should still see a patch, but with 10's support due to end in October of next year and a paid support plan being required to extend it past that, the risk of issues like these remaining unpatched in the final release only increases.

This zero-day NTLM authentication exploit isn't the only one found and reported to Microsoft by 0Patch recently — 0Patch also mentions three non-NTLM zero-day vulnerabilities and three other NTLM-related "won't fix" vulnerabilities as vulnerabilities it has patched in Microsoft's stead in its original blog post. These patches will all remain free until Microsoft releases its own patches — which they won't at all for "won't fix" vulnerabilities, or for versions of Windows that are no longer being supported or covered under a paid support extension plan. We've covered 0Patch in the past for providing an alternative to Microsoft's support model, on this note.

Fortunately, 0Patch notes in the comments of its official post that an attack exploiting this particular NTLM authentication issue has yet to be seen in the wild. Some existing security solutions may even automatically block these issues as they arise — but there's no guarantee that all or even most of the impacted users will have such mitigations in place.

Additionally, the actual patch ("micropatch") only addresses a single vulnerable NTLM instruction. So in theory, installing it should be pretty harmless... but this is still an unofficial security patch, so you can choose what to do according to your own discretion. Hopefully, Microsoft addresses this and other vulnerabilities in official updates sooner rather than later — if networking credentials being stolen from even just viewing an impacted folder in File Explorer it is quite a scary possibility.