A recently discovered zero-day security vulnerability affecting all Windows versions will remain unpatched until April 2024, according to security researchers at ACROS Security.
The zero-day bug enables attackers to capture users' NTLM credentials when victims simply view a malicious file through Windows Explorer. The attack can be triggered by opening a shared folder, viewing a USB drive, or accessing the Downloads folder containing the malicious file.
Microsoft has classified the vulnerability as "Important" severity and plans to release a fix in their April update cycle. The company acknowledged the report and stated they "will take action as needed to help keep customers protected."
This marks the second NTLM credential leak zero-day reported by ACROS Security since October 2023. The previous vulnerability, which involved Windows Themes spoofing, also remains unpatched.
NTLM (NT LAN Manager) is an older authentication protocol that Microsoft maintains in modern Windows systems for compatibility reasons. Attackers frequently target NTLM weaknesses to intercept authentication requests and relay them to access other servers or services.
In response to growing NTLM-related threats, Microsoft has updated guidance for organizations on implementing Extended Protection for Authentication (EPA). The company specifically emphasizes protecting Exchange Server installations, as office documents and emails often serve as entry points for NTLM attacks.
While waiting for the official patch, organizations are advised to follow Microsoft's recommended mitigations for NTLM-related vulnerabilities. ACROS Security also suggests considering their 0patch solution, which provides free micropatches for security vulnerabilities, particularly for older software versions.