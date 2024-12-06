0patch has revealed a 0day vulnerability that affects all desktop versions of Windows as well as Windows Server. In all, a staggering 21 different editions of Windows have the security issue which is described as a URL File NTLM Hash Disclosure vulnerability.

The security patching firm has reported the issue to Microsoft but -- as has been the case in the past -- the Windows-maker has yet to produce a fix. Stepping up to fill the void, 0patch has released free micropatches for all affected versions of Windows.

See also:

For obvious reasons, 0patch is not currently sharing detailed information about the security issue. The free micropatches have been made available to ensure that everyone is kept safe until Microsoft gets around to releasing its own official fixes, and when this happens, 0patch will reveal more details.

In the meantime, 0patch says:

Our researchers discovered a vulnerability on all Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022. The vulnerability allows an attacker to obtain user's NTLM credentials by simply having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page.

To obtain the free patch, you need to create a free account in 0patch Central. The full list of affected editions of the Windows are as follows:

Legacy Windows versions:

Windows 11 v21H2 - fully updated Windows 10 v21H2 - fully updated Windows 10 v21H1 - fully updated Windows 10 v20H2 - fully updated Windows 10 v2004 - fully updated Windows 10 v1909 - fully updated Windows 10 v1809 - fully updated Windows 10 v1803 - fully updated Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3 Windows Server 2012 - fully updated with no ESU or ESU 1 Windows Server 2012 R2 - fully updated with no ESU or ESU 1 Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4

Windows versions still receiving Windows Updates:

Windows 11 v24H2 - fully updated Windows 11 v23H2 - fully updated Windows 11 v22H2 - fully updated Windows 10 v22H2 - fully updated Windows Server 2022 - fully updated Windows Server 2019 - fully updated Windows Server 2016 - fully updated Windows Server 2012 fully updated with ESU 2 Windows Server 2012 R2 fully updated with ESU 2

More information is available here.