Critical Vulnerabilities in Microsoft Windows Could Leave Computers Exposed to a New Attack Wave

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Earlier this week, during Patch Tuesday Update, Microsoft released patches for some critical vulnerabilities that were affecting all versions of Windows operating system, including critical flaws for Windows 10 for enterprises.

Researchers at Preempt have analyzed and identified two vulnerabilities within the Microsoft Windows NT LAN Manager (NTLM) security protocols which could lead to unauthorized credential use, password cracking and, potentially, domain compromise.

The company initially discovered and reported these two critical vulnerabilities to Microsoft in April 2017.

For those who aren’t familiar with the terminology, NT LAN Manager (NTLM) is a suite of Microsoft security protocols enabling authentication, integrity and confidentiality to users, replacing the older Windows LAN Manager (LANMAN) platform.

What we know about these two vulnerabilities

1. The first NTLM vulnerability, known as CVE-2017-8563, relates to unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay. LDAP is supposed to protect against both Man-in-the-Middle (MitM) attacks and credential forwarding, but it fails to properly do this.

Thus, when Windows protocols use the Windows Authentication API (SSPI) – allowing downgrade of an authentication session to NTLM – your computer can be exposed if connected to an infected machine (SMB, WMI, SQL, HTTP).

If a vulnerable system has a domain admin account enabled, it then becomes victim to attackers who can create an administrator account and take full control over the attacked network.

2. The second NTLM vulnerability, which doesn’t have a CVE identification, refers to the Remote Desktop Protocol (RDP) Restricted-Admin mode and lets “users to connect to a remote machine without volunteering their password to the remote machine that might be compromised”, said the Preempt research team.

This means that every cyber attack performed with NTLM, such as credential relaying and password cracking, could be carried out against RDP Restricted-Admin.

Researchers from Preempt also added that once an admin connects with protocols such as RDP Restricted-Admin, HTTP or File Share (SMB), a cyber criminal can create a fake domain admin, proving that the NTLM security protocol is vulnerable and can put both individuals and organizations at risk of losing their sensitive data.

Preempt also created a video demonstration to briefly show how these two different NTLM vulnerabilities work and how they could be exploited.

These vulnerabilities reported by Preempt might have similarities to WannaCry and Petya ransomware and could lead to another cyber attack that we may hear in the upcoming period. It might be a matter of days or weeks until a new ransomware could strike, so you need to take all the precautions and install all the latest Windows updates as soon as possible.

To better understand how a cyber attack works and how the cybercriminals discover the unpatched vulnerabilities in a piece of software, we strongly recommend watching the graphic below.


We believe it’s essential to understand that proactive security measures against unknown threats have long term benefits for both individuals and organizations and that you need to take it seriously in order to avoid losing sensitive data.

Once again, we emphasize the fact that the best protection against these criminal attacks remains proactive security mixed with basic cyber security education.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?