Windows Passwords At Risk As New 0-Day Confirmed—Act Now
This new Windows zero-day has no official fix.
NurPhoto via Getty Images
Oh boy, it's raining zero days for Windows users right now. Just two weeks on from Microsoft confirming no less than six zero-day attacks impacting users in the Windows operating system, like London buses, another has belatedly arrived. The difference, however, is this latest threat to all users of Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025, has no official patch from Microsoft to fix it. This is a problem when you consider the endgame of an attacker exploiting this vulnerability is to steal password cases and bypass authentication protections. The good news is that there is a way to fix it, at least while you wait for Microsoft to act. Here's what you need to know.
A private message from Mitja Kolsek on the X social media platform dropped in my inbox late on March 25. I tend to take anything I receive from Kolsek seriously, as he's the CEO of ACROS Security. This company develops and distributes unofficial security patches for zero-day vulnerabilities where no official fix is available. 'We reported this to Microsoft and will not disclose details until they have issued an official patch,' was enough to trigger my journalistic intrigue and should be enough to trigger your desire to apply a temporary fix as well. Why so? Because, Kolsek explained, his researchers uncovered a vulnerability that 'allows an attacker to obtain user's NTLM credentials by having the user view a malicious file in Windows Explorer.'
If this sounds familiar, there's a good reason for that: I reported on a very similar Windows zero-day Dec. 6, 2024. Similar, but not the same. The 'impact and attack scenarios of this issue are identical,' Kolsek said, but the latest vulnerability is different and not yet publicly discussed. As already mentioned, Kolsek isn't going to be releasing the full technical details any time soon, at least not until Microsoft has issued a patch.
What we do know is that these NT Lan Manager vulnerabilities can enable an attacker to steal Windows credentials by simply tricking the user into viewing a malicious file. NTLM is a suite of Microsoft security protocols providing authentication, integrity and confidentiality to users. This is why the zero-day is of such importance, although it's not thought of as critical. 'These types of vulnerabilities are not critical,' Kolsek said, 'and their exploitability depends on several factors.' But, and it's a big but, they have been used in real-world attacks, and that's all you need to know. Well, that and the minor detail that NTLM exploits, including relay attacks to bypass authentication and pass-the-hash attacks to steal credentials, are widely used to gain access to networks, with all that can bring to the hacking party.
Given all of the above and the fact that a Microsoft spokesperson said, 'We are aware of this report and will take action as needed to help keep customers protected,' which likely means waiting until the next Patch Tuesday at least, I'd recommend taking action now.
This is where Kolsek and his micro patch solution enter stage left. 0patch seeks to address the vulnerability gap, that time between a zero-day being discovered and an official patch being released, by providing free mini-fixes in the meantime. This works using a patching agent that analyzes processes and applies any new patch in memory without disturbing the process itself. 'Since this is a 0day vulnerability with no official vendor fix available,' Kolsek said, 'we are providing our micropatches for free until such fix becomes available.' If you use Windows, you know what to do.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Geek Wire
6 hours ago
- Geek Wire
Xbox Ally vs. Nintendo Switch 2: Microsoft enters a handheld console war that lacks actual competition
(Xbox Image) This isn't quite what we expected to see last year, but the ROG Xbox Ally still marks a new chapter in the rapidly developing 'handheld war.' Microsoft's announcement of the Ally during its annual Xbox Showcase broadcast on Sunday only came a few days after Nintendo's release of its latest console, the Switch 2. While it's probably not intentional on Microsoft's part, that does set up a natural clash in the marketplace between the Xbox Ally and the Switch 2. Both are portable gaming systems, and both are major players in the international console market. At almost any other time in console history, this actually would've been a deliberate shot across Nintendo's bow. Microsoft is one of the few players who could actually hope to diminish Nintendo's hammerlock on the portable gaming scene. That's not what this is, however. Microsoft has shown a notable unwillingness to actually compete with Nintendo in recent years, instead preferring to publish former exclusives like Grounded and Hi-Fi Rush on the Switch. Further, the Xbox Ally from the jump is aimed at an established audience of PC gaming enthusiasts. One of its marquee features, in fact, is the ability to consolidate your games library into a single menu via the Xbox app. If you're at all into playing games on your computer, it's easy to end up with a big library spread out across a half-dozen storefronts: Steam, Epic, GOG, Itch, Microsoft Store, Game Pass, etc. As presented, the Ally can keep your entire collection in one easy-to-browse place, although individual games' compatibility with the Ally is not guaranteed. The Xbox Ally is also intended to ship with Copilot for Gaming integrated into the experience, so each Ally will come complete with an AI-powered 'companion.' If you grab the more expensive Ally X, it contains a high-end Ryzen chip that's apparently meant to future-proof the device to some extent against any further AI projects Microsoft might bring to the unit. Those two features are meant to appeal to a couple of specific audiences: people who already primarily play games on their PCs, and serious gadget hounds. The Xbox Ally is a huge new spoke in Microsoft's established 'Play Anywhere' initiative, but much of what it does is there to streamline the experience for people who are already heavily invested in the Xbox gaming platform. At Nintendo's Switch 2 launch event in San Francisco, executive VP Devon Pritchard hands a fan the first Switch 2 unit sold. (Nintendo Image) The Switch 2, by comparison, arguably has a different version of a similar issue. Nintendo famously does not follow the same sales plan with its consoles as Sony or Microsoft, preferring to put out cheaper devices with lower-end tech that can be produced for a per-unit profit. As a result, Nintendo's hardware tends to be dramatically less powerful than its competitors'. The original Switch was already having profound growing pains, as even some games by Nintendo itself (i.e. Pokemon Scarlet & Violet) did not run well on the Switch, especially in its portable mode. The difference is that Nintendo has, well, Nintendo. For 40 years, the biggest reason to buy a Nintendo console is to play Nintendo's exclusive in-house productions like Super Mario, The Legend of Zelda, Metroid, and Super Smash Bros. While some of Nintendo's franchises have appeared on mobile devices recently, the actual marquee titles — Breath of the Wild, Super Mario Odyssey, Mario Kart 8, etc. — have never been officially ported to anything besides official Nintendo systems. Unlike Sony, which has begun bringing first-party PlayStation games to PC via Steam in recent years, Nintendo wants you to have to buy its consoles to play its games. I could give you a laundry list of complaints about the Switch as a whole, not least of which is the peculiar and uncharacteristic fragility of its hardware, but Nintendo has always been its own biggest advantage. That does mean that the primary reason to buy a Switch 2 is the promise of whatever new first-party Nintendo games will eventually be released for the system. Like the Xbox Ally, it's already aimed at a specific, established audience: fans of the company's established franchises. The real X-factor in this discussion, however, is the Xbox Ally's price tag. The Switch 2 currently retails for an MSRP of $499.99, and while its launch lineup is fairly weak, it's backwards compatible with most if not all of the existing Switch library. The ROG Xbox Ally will ship with two separate SKUs: the cheaper, less powerful base model, and the higher-end Ally X. Microsoft has yet to reveal their respective prices at launch, but since the Xbox Ally is a customized model of the existing ROG Ally, it's hard to imagine either version will cost less than $650. In theory, the Xbox Ally can make up some of that difference through a cheaper software library. Digital storefronts have flash sales and free weekends all the time, and there's always Game Pass. Meanwhile, Nintendo has become infamous for almost never lowering the prices on its games, digitally or otherwise; the Switch 2 is significantly more expensive than its predecessor; and any die-hard Switch fan will tell you that you'll want to pick up a Pro Controller ($89) eventually. All in all, this is an unusually pricey console launch for Nintendo. At the end of the day, the Switch 2 and Xbox Ally are laser-focused on two separate, specific audiences. They have points of overlap, but only in the vaguest possible sense, and at least one of the two companies is less interested in active competition than ever before. If you're looking to break into portable gaming in 2025, it's going to come down to your particular fields of interest, as well as whatever Microsoft decides to charge for the Xbox Ally.
CNET
6 hours ago
- CNET
I Played With the Xbox ROG Ally, the Upcoming Xbox Handheld
Microsoft revealed its long-rumored Xbox handheld console running Windows 11 during the Xbox Games Showcase -- two models called the Xbox ROG Ally and Xbox ROG Ally X -- and I spent a short time playing around with one soon after. Unfortunately, I wasn't allowed to take any pictures or videos of the demo, since the hardware we got to test wasn't final. That became evident when our designated guide had HDMI connection issues with the unit. I was able to play around with the Xbox full- screen experience, the various settings menus and played the beginning minutes of Gears of War Reloaded, which comes out this summer. Watch this: Everything Announced at the Xbox Games Showcase in 16 Minutes 16:18 The device is quite comfortable to hold, with slightly textured grips. The face buttons, triggers, and analog sticks all felt familiar, very similar to what I'm used to on an Xbox controller. What's really exciting is that you can download your games, remote play from your Xbox, or stream from the cloud, making this more useful than PlayStation's Portal, which can only stream and play remotely. That's one of the major benefits of being inside Xbox's ecosystem: You can play a game on any of its devices, regardless of where you bought it, whether that be Xbox consoles, PC, cloud or this new handheld. This more open-platform approach makes the Xbox Ally closer in spirit to a Steam Deck compared to a Nintendo Switch, which can only run Nintendo games. When it ships -- expected in time for the winter holidays -- you'll be able to navigate via a full-screen Xbox app, which combines your Xbox game library with installed games from several other marketplaces into a single Xbox experience. The company specifically mentioned Xbox, Game Pass, (owned by Microsoft), and "other leading PC storefronts," which I'm hoping includes Steam. Much like on an Xbox, each game has icons depicting which platform they're from. In my demo, the only example of a different storefront was Hearthstone, which had a icon. Microsoft/Screenshot by CNET The Xbox Ally consoles use the Game Bar, and if you've used the Xbox app on PC then you'll find it familiar. In fact, pressing the new Xbox button opens an almost identical version of the guide when playing Xbox games on PC. However, there's also a new Command Center tab on the far left to adjust settings for power consumption and performance, similar to what we've seen on Steam Deck. In Game Bar you can quickly jump to the home screen, your library, launch games, open apps, chat with friends, adjust settings and more. And this Game Bar works alongside Asus's Armoury Crate overlay. This is a little worrisome, as Armoury Crate has usually felt more like unnecessary bloatware, but when we get to test the device later this year we'll see if Asus has stripped it down to the relevant functions rather than just added more on top. Since it's a Windows 11 device, you'll also be able to launch and use apps like Discord and Twitch and access game mods. The Xbox Ally boots directly into the "Xbox full screen experience" similar to how a Steam Deck launches into Big Picture mode. The full-screen experience is optimized specifically for handheld gaming, and Xbox told me the device minimizes background activity and allocates more system resources to gameplay like Game Mode does on Windows. This means more memory and potentially higher framerates for your games. Xbox The ROG Ally and Ally X have been out for a bit now, but the Xbox models have some unique features. In addition to the Xbox button, the Xbox ROG Ally also has larger, contoured grips. The previous ROG Ally is more rectangular; the Xbox Ally is closer to the design of the PlayStation Portal, with dedicated, slightly separated hand grips that mimic the look and feel of a standard game controller. They also have upgraded components over the Asus versions. The handheld comes in two options, a white Xbox Ally and the more powerful Xbox Ally X which comes in black. The lower-end Ally is powered by a AMD Ryzen Z2A processor, comes with 16GB of RAM and 512GB of SSD storage, weighs 23.6 oz/670g, and has a 60Wh battery. The Ally X has a AMD Ryzen AI Z2 Extreme processor, 24GB of RAM, 1TB of SSD storage, weighs a bit more at 25.2 oz/715g, and has a 80Wh battery. Both models are equipped with a 7-inch,120Hz 1080p screen, the same as on the original Asus versions of the devices. They also have RGB lights surrounding the analog sticks, something I hope I'll be able to turn off when I spend some real time playing on the device. The Ally X did feel on the heavier side, but then again the recently released Switch 2 and my Steam Deck OLED are also pretty heavy so I think that's just what handhelds weigh these days. Xbox hasn't yet revealed the pricing or release date, aside from "this holiday."
Yahoo
7 hours ago
- Yahoo
AI skills drive in schools to ‘put power in hands of next generation'
Secondary school pupils will be taught skills in artificial intelligence (AI) as part of a drive to put the technological power 'into the hands of the next generation', Sir Keir Starmer will announce. Some on million students will be given access to learning resources to start equipping them for 'the tech careers of the future' as part of the Government's £187 million 'TechFirst' scheme, Downing Street said. Meanwhile, staff at firms across the country will be trained to 'use and interact' with chatbots and large language models as part of a plan backed by Google and Microsoft to train 7.5 million workers in AI skills by 2030. The TechFirst programme will be split into four strands, with TechYouth – the £24 million 'flagship' arm – aimed at giving students across every secondary school in the UK the chance to gain new AI skills training over three years. The other strands are: – TechGrad, backed by £96.8 million in funding and designed to support 1,000 domestic students a year with undergraduate scholarships in areas such as AI and computer science. – A £48.4 million TechExpert scheme aiming to give up to £10,000 in additional funding to 500 domestic PhD students carrying out research in tech. – TechLocal, backed by £18 million, will offer seed funding to small businesses developing new tech products and adopting AI. The Prime Minister is also launching a new Government partnership with industry to train 7.5 million UK workers in essential skills to use AI by 2030. Tech giants including Google, Microsoft, IBM, Nvidia, BT and Amazon have signed up to make 'high-quality' training materials widely available to workers free of charge over the next five years, Number 10 said. It comes as research commissioned by the Department for Science, Innovation and Technology (DSIT) showed that by 2035, AI will play a part in the roles and responsibilities of around 10 million workers. The Prime Minister said: 'We are putting the power of AI into the hands of the next generation – so they can shape the future, not be shaped by it. 'This training programme will unlock opportunity in every classroom – and lays the foundations for a new era of growth. 'Too many children from working families like the one I grew up in are written off. I am determined to end that.' Sir Keir hosted a private reception at Chequers on Sunday with leading technology bosses and investors, including former Google chief executive Eric Schmidt, Faculty AI co-founder Angie Ma, Google DeepMind chief Demis Hassabis and Scale boss Alex Wang. On Tuesday, he will invite industry figures to Downing Street, including 16-year-old AI entrepreneur Toby Brown, who recently secured 1 million dollars in Silicon Valley funding for his startup, Beem.
