Security News > 2023 > May > Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft

Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft
2023-05-10 14:23

The vulnerability, tracked as CVE-2023-29324, has been described as a security feature bypass.

Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected, but pointed out Microsoft, Exchange.

"An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server," Barnea said in a report shared with The Hacker News.

"This results in NTLM credentials theft. It is a zero-click vulnerability, meaning it can be triggered with no user interaction."

"This vulnerability is yet another example of patch scrutinizing leading to new vulnerabilities and bypasses," Barnea said.

In order to stay fully protected, Microsoft is further recommending users to install Internet Explorer Cumulative updates to address vulnerabilities in the MSHTML platform and scripting engine.


News URL

https://thehackernews.com/2023/05/experts-detail-new-zero-click-windows.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-05-09 CVE-2023-29324 Unspecified vulnerability in Microsoft products
Windows MSHTML Platform Security Feature Bypass Vulnerability
network
low complexity
microsoft
6.5