A dangerous zero-day vulnerability has been discovered in Windows, which has been patched by a third-party developer.

The developers of the 0patch platform (owned by the Slovenian Acros Security) have released a free micropatch that fixes the problem with leaking NTLM credentials in Windows. Microsoft promised to get involved in solving the problem later.

Image Source: Windows/unsplash.com

The issue is related to the leak of New Technology LAN Manager (NTLM) credentials, a set of Microsoft-developed security protocols that are used to authenticate users and computers on a network. Back in January, Microsoft patched the NTLM-related vulnerability CVE-2024-21320, but then Akamai cybersecurity expert Tomer Peled discovered that attackers could bypass the patch by sending a potential victim a Windows theme file and forcing them to do some manipulations with it – You don’t even need to open the file. After these manipulations, Windows sends authenticated network requests to remote hosts with NTLN credentials belonging to the user.

As a result, the Windows theme spoofing vulnerability CVE-2024-38030 was registered and was fixed in July. Acros Security specialists analyzed the problem and identified an additional instance of the vulnerability, which is present in all fully updated versions of Windows up to Windows 11 24H2. The company reported its discovery to Microsoft and refused to release details until the software giant fixed the new vulnerability, but released its own micropatch that closes it. “We are aware of this report and will take appropriate action to help protect customers,” Microsoft said.

To exploit the vulnerability, “a user must either copy a theme file, for example, from an email or chat to a folder or desktop, or visit a malicious site from which the file is automatically downloaded to the Downloads folder,” Acros Security explained. That is, some actions on the part of the potential victim are still necessary.

admin

Share
Published by
admin

Recent Posts

Intel was forced to cut up to 20% of developers in Israel

According to Globes, the current staff cuts at Intel in Israel were not only one…

30 minutes ago

In a declining PC market, Lenovo was able to increase shipments, revenue and profits

The status of the largest PC manufacturer obliges the Chinese Lenovo to fight the negative…

2 hours ago

Intel delays construction of plants in Germany, but does not abandon the project

Intel has postponed construction of its Fab 29 chip manufacturing complex in Magdeburg, Germany, a…

2 hours ago

18 US states sue the SEC for unconstitutional interference in the cryptocurrency industry

In the United States, 18 states filed a lawsuit against the Securities and Exchange Commission…

3 hours ago

Anthropic and the US government are testing artificial intelligence for leaking nuclear secrets

Artificial intelligence company Anthropic is collaborating with the US Department of Energy to conduct unique…

3 hours ago

Applied Materials hinted that demand for chip production equipment will be moderate

The largest US supplier of equipment for the production of semiconductor chips this week reported…

4 hours ago