Latest news with #NTLM
Forbes
11-06-2025
- Forbes
Outlook Users Must Not Open These 2 Files, Microsoft Warns
Microsoft to block dangerous Outlook attachment files. Don't be fooled by all the headlines into thinking it is only Gmail users who are exposed to ongoing security threats. All email users are targets of threat actors, including Outlook, and many of the methods used in such cyberattacks are identical. This is certainly the case when it comes to the use of attachments to distribute malware or entice victims into taking the bait during a phishing attack. Microsoft has now announced that, starting in July, it will block two file types that have been observed in email-based attacks earlier this year. But don't wait for the OwaMailboxPolicy default policy update to arrive; be aware that you must not open these attachments between now and then. Here's what you need to know if you use Outlook Web or the latest Outlook for Windows. Microsoft has now confirmed that, with effect in 'early July,' the list of blocked attachments for users of Outlook Web and Outlook for Windows will be updated to include two new file types that are known to be dangerous. The BlockedFileTypes list that forms part of the default OwaMailboxPolicy will be updated to include both .library-ms and .search-ms as 'part of our ongoing efforts to enhance security in Outlook Web and the New Outlook for Windows,' Microsoft said in an official announcement. This is important stuff, as one of these file types, .library-ms which comprises Windows Lib ray files, was part of an attack against organizations exposing NTLM password hashes, as I reported in March. Anything that can help reduce the flow of attacks deployed by cybercriminals targeting email users has to be a good thing, and this ongoing action from Microsoft is a welcome move for the impacted Outlook users. The good news is that, as Microsoft confirmed, the newly blocked file types are rarely used, so the blocking should have little impact on most organizations. 'However, if your users are sending and receiving affected attachments,' Microsoft said, 'they will report that they are no longer able to open or download them in Outlook Web or the New Outlook for Windows.' Everyone should be aware that opening attachments within Outlook can be a very risky business. Do not wait until July if you use the OwaMailboxPolicy for protection, get educated and ensure you don't open these dangerous file types beforehand.
Forbes
26-03-2025
- Forbes
Windows Passwords At Risk As New 0-Day Confirmed—Act Now
This new Windows zero-day has no official fix. NurPhoto via Getty Images Oh boy, it's raining zero days for Windows users right now. Just two weeks on from Microsoft confirming no less than six zero-day attacks impacting users in the Windows operating system, like London buses, another has belatedly arrived. The difference, however, is this latest threat to all users of Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025, has no official patch from Microsoft to fix it. This is a problem when you consider the endgame of an attacker exploiting this vulnerability is to steal password cases and bypass authentication protections. The good news is that there is a way to fix it, at least while you wait for Microsoft to act. Here's what you need to know. A private message from Mitja Kolsek on the X social media platform dropped in my inbox late on March 25. I tend to take anything I receive from Kolsek seriously, as he's the CEO of ACROS Security. This company develops and distributes unofficial security patches for zero-day vulnerabilities where no official fix is available. 'We reported this to Microsoft and will not disclose details until they have issued an official patch,' was enough to trigger my journalistic intrigue and should be enough to trigger your desire to apply a temporary fix as well. Why so? Because, Kolsek explained, his researchers uncovered a vulnerability that 'allows an attacker to obtain user's NTLM credentials by having the user view a malicious file in Windows Explorer.' If this sounds familiar, there's a good reason for that: I reported on a very similar Windows zero-day Dec. 6, 2024. Similar, but not the same. The 'impact and attack scenarios of this issue are identical,' Kolsek said, but the latest vulnerability is different and not yet publicly discussed. As already mentioned, Kolsek isn't going to be releasing the full technical details any time soon, at least not until Microsoft has issued a patch. What we do know is that these NT Lan Manager vulnerabilities can enable an attacker to steal Windows credentials by simply tricking the user into viewing a malicious file. NTLM is a suite of Microsoft security protocols providing authentication, integrity and confidentiality to users. This is why the zero-day is of such importance, although it's not thought of as critical. 'These types of vulnerabilities are not critical,' Kolsek said, 'and their exploitability depends on several factors.' But, and it's a big but, they have been used in real-world attacks, and that's all you need to know. Well, that and the minor detail that NTLM exploits, including relay attacks to bypass authentication and pass-the-hash attacks to steal credentials, are widely used to gain access to networks, with all that can bring to the hacking party. Given all of the above and the fact that a Microsoft spokesperson said, 'We are aware of this report and will take action as needed to help keep customers protected,' which likely means waiting until the next Patch Tuesday at least, I'd recommend taking action now. This is where Kolsek and his micro patch solution enter stage left. 0patch seeks to address the vulnerability gap, that time between a zero-day being discovered and an official patch being released, by providing free mini-fixes in the meantime. This works using a patching agent that analyzes processes and applies any new patch in memory without disturbing the process itself. 'Since this is a 0day vulnerability with no official vendor fix available,' Kolsek said, 'we are providing our micropatches for free until such fix becomes available.' If you use Windows, you know what to do.
