Micropatches released for SCF File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it

 

 

While patching a SCF File NTLM hash disclosure issue on our security-adopted Windows versions, our researchers discovered a related vulnerability on all Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025. The vulnerability allows an attacker to obtain user's NTLM credentials by having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page.

Impact and attack scenarios of this issue are identical to that of a previously discovered 0day in URL files (subsequently patched by Microsoft), although the flaw is different here and to our knowledge not discussed in public before. 

[Update 04/09/2025] We were informed by George Hughey with MSRC Vulnerabilities & Mitigations that Microsoft recently brought a change to how SCF files are behaving. We have confirmed that on computers with January 2025 Windows Updates installed, Windows Explorer exhibits the behavior we're describing here only if the SCF file does not have the Mark of the Web. This means that attack scenarios on still-supported Windows versions like Windows 11 v24H2 do not include drive-by-downloaded SCF files, but do still include SCF files on network shared folders or USB drives. We'd like to thank George for sharing this information with us.

Note that while these types of vulnerabilities are not critical and their exploitability depends on several factors (e.g., the attacker either already being in the victim's network or having an external target like a public-facing Exchange server  to relay the stolen credentials to), they have been found to be used in actual attacks ([1][2]).

We reported this issue to Microsoft, and - as usual - issued micropatches for it that will remain free until Microsoft has provided an official fix.

We are withholding details on this vulnerability until Microsoft's fix becomes available to minimize the risk of malicious exploitation. 

This is the fourth 0day we have recently found and reported to Microsoft, after the Windows Theme file issue (subsequently patched by Microsoft as CVE-2025-21308), the Mark of the Web issue on Server 2012 (still a 0day without an official patch), and the URL File NTLM Hash Disclosure Vulnerability (subsequently patched by Microsoft as CVE-2025-21377).

In addition, the "EventLogCrasher" vulnerability, allowing an attacker to disable all Windows event logging on all domain computers (reported to Microsoft in January 2024 by security researcher Florian), is still waiting for an official patch so our patches for it are the only ones available.

There are also currently three NTLM-related publicly known "wont fix" vulnerabilities that Microsoft decided not to patch with 0patch patches available: PetitPotam, PrinterBug/SpoolSample and DFSCoerce. All of these are present on all latest fully updated Windows versions, and if your organization is using NTLM for any reason, it could be affected.

Currently, 40% of our users are using 0patch for protection against 0day and "wont fix" vulnerabilities, while others use 0patch for keeping their legacy Windows systems and Office versions secure with our security patches.

Micropatch Availability

Since this is a "0day" vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available.

Micropatches were written for:

 Legacy Windows versions:

1. Windows 11 v21H2 - fully updated
2. Windows 10 v21H2 - fully updated
3. Windows 10 v21H1 - fully updated
4. Windows 10 v20H2 - fully updated
5. Windows 10 v2004 - fully updated
6. Windows 10 v1909 - fully updated
7. Windows 10 v1809 - fully updated
8. Windows 10 v1803 - fully updated
9. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
10. Windows Server 2012 - fully updated with no ESU or ESU 1
    
11. Windows Server 2012 R2 - fully updated with no ESU or ESU 1
12. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
    

 Windows versions still receiving Windows Updates:

1. Windows 11 v24H2 - fully updated   
2. Windows 11 v23H2 - fully updated
3. Windows 11 v22H2 - fully updated
4. Windows 10 v22H2 - fully updated
5. Windows Server 2025 - fully updated
   
6. Windows Server 2022 - fully updated
   
7. Windows Server 2019 - fully updated 
8. Windows Server 2016 - fully updated 
9. Windows Server 2012 fully updated with ESU 2
   
10. Windows Server 2012 R2 fully updated with ESU 2

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

 

Did you know 0patch will security-adopt Windows 10 and Office 2016/2019 when they go out of support in October 2025, allowing you to keep using them for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Micropatches Released for SCF File NTLM Hash Disclosure Vulnerability (No CVE)

 

While we're on the subject of NTLM hash leaking vulnerabilities [1][2], we found this widely known issue of the same type that was patched by Microsoft at various points in time but never seemed to have received CVE IDs.

The issue is in SCF files with the IconFile property being a network share path like \\<IP_address>\file leaking user's NTLM hash to the network location when the user simply views a folder with such SCF file.

This issue has been documented and mentioned many times in the past, but the oldest mention we could find was this article by Bosko Stankovic of DefenseCode written in May 2017. (The DefenseCode domain is no longer active, so the link is to an archived article on the Internet Archive.)

The vulnerability has long been patched on Windows 10 machines and Windows Servers 2019 and higher, while Windows 7, Windows 8, and Windows Server 2008-2016 only received a patch in August 2024.

 

Microsoft's Patch

Microsoft patched this issue by calling MapUrlToZone to determine the security zone of the icon file, then deciding based on that whether or not to attempt to load the icon.

 

Our Micropatch

Our patch is similar to Microsoft's.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows 7 - fully updated without ESU, or with ESU 1, ESU 2 or ESU 3
2. Windows Server 2012, Server 2012 R2 - fully updated without ESU
3. Windows Server 2008 R2 - fully updated without ESU, or with ESU 1, ESU 2 or ESU 3

 

Newer versions of  Windows Server 2008 (ESU 4) and Windows Server 2012 (ESU 1) do not need our patch as they already have Microsoft's installed.

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Bosko Stankovic of DefenseCode for sharing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Analysis of a Flaw in Microsoft's Patch for "copy2pwn" (CVE-2024-38213)

This is a story of a temporarily flawed Microsoft patch.

CVE-2024-38213 is a vulnerability that causes files copied from WebDAV shared folders to Windows machine to not have the Mark of the Web (MotW) applied. This results in such files being overly trusted by Windows Explorer, Defender, SmartScreen and possibly other security products, and vulnerabilities like this are being exploited in the wild.

The vulnerability was discovered by security researcher Peter Girnus and Simon Zuckerbraun with the ZDI and reported to Microsoft, who provided a patch for it with July 2024 updates. Their advisory was, however, not released until August 2024, which was also when Peter published their detailed analysis. and nicknamed the vulnerability "copy2pwn".

We were naturally interested in the vulnerability as it was likely also affecting security-adopted legacy Windows systems for which Microsoft was no longer providing security patches.

Our review of Microsoft's patch, however, revealed something interesting:

It didn't work.

Analysis of the Flaw

CVE-2024-38213 manifests itself on a vulnerable Windows computer when we copy a file using Ctrl-C & Ctrl-V from a WebDAV share, or drag-and-dropping a file from such share. The latter results in a warning (Image 1), but both methods fail to flag the file with Mark of the Web (MotW).

 

Image 1: Security warning when drag-and-dropping a file from a network folder

 

For some reason, even a fully patched testing Windows computer was still behaving the same: no MotW on the copied file.

Analyzing Microsoft's patch, we found that the code for preventing exploitation of CVE-2024-38213 was there, but for some reason it didn't make a difference. Going further, we discovered that all Windows versions updated to August 2024, except Windows 11 and Server 2022, were still vulnerable.

Let's take a look at a relevant section of this code.

Image 2: _StampMotWonDestFileIfNeeded function

The _StampMotwOnDestFileIfNeeded function, added by the patch, has a very descriptive name when we consider CVE-2024-38213 and what it exploits. The function calls MapUrlToZone, based on which it should mark files with MotW when they come from the internet - but fails to do that. Halting execution with WinDbg we could see the execution flow went left (green arrow) after the first function code block (Image 2), which resulted in jumping to the exit block without setting the MotW.

This jump was caused by the compare instruction in the first block: cmp [rcx+89h], 0 so we wanted to know where the value at address rcx+89h came from. In situations like this, esReverse, a powerful reversing and binary analysis solution from eShard, saves the day. Its taint analysis functionality allowed us to take rcx+89h, track it through execution history, and quickly find all places where it was changed and by who. The taint path can traverse processes in case the data we're interested in gets sent from one process to another, tracing it all the way through the kernel.

 

Image 3: esReverse's Taint analysis window

We set up tainting from our current "transition" 447150053, to the very first transition as shown on Image 3. "Tag0" represents the data we're interested in tracing: 0xead25c9 is actually rcx+89h at the time of the execution entering function _StampMotwOnDestFileIfNeeded, and 1 is the number of bytes we care about at that location. Once we had the taint results, we analyzed all transitions and found that the last one was in the CTSTransfer constructor where rcx+89h location is initialized to 0. Then we needed to find the last change that affected location rcx+89h and caused the MotW logic in _StampMotwOnDestFileIfNeeded to be skipped.

Image 4: Instruction that sets the relevant variable to 0

The last executed instruction before _StampMotwOnDestFileIfNeeded compares the value at [rcx+89h] to 0 is: mov [rbx+89h], dil (Image 4) in the CTSTransfer constructor. We now only needed to find who sets the value of dil (the low 8 bytes of register rdi) and why.

Analyzing all transitions, we found the bug in function _InitializeZoneIdentifierInterfaces, called from the CTSTransfer constructor: when calling CoCreateInstance, the return value was compared to 0, and if equal, the function exited assuming CoCreateInstance had failed (Image 5).

 

Image 5: Return value of CoCreateInstance is compared to zero

But this is wrong: 0 is the value of S_OK, a.k.a. "Operation successful," while the code is treating it as an error.

We had our culprit! This bug in _InitializeZoneIdentifierInterfaces resulted in critical IInternetSecurityManager interface code being skipped, which left the interface uninitialized, resulting in _StampMotwOnDestFileIfNeeded determining that it could not use function MapUrlToZone - and deciding to bail out instead of setting a Mark of the Web on the copied file.

Fortunately, Microsoft must have also noticed this flaw and corrected it with the next Windows Update.

 

Image 6: comparison of fixed code (left) and flawed code (right)

Image 6 shows Microsoft's fix for this flaw. As is often the case, Microsoft's patch comes with a "patch switch" allowing for "enabling" the new code via a registry value. This makes sense in cases where the new code has a potential to cause functional problems so individual patches can be "turned off". We're not sure why this could be the case here (with the obvious programming error), but we appreciate the opportunity to show both pre-patch and post-patch code on the same image.

As you can see, the only difference between vulnerable pre-patch code and fixed post-patch code is in a single instruction: jz ("jump if zero") in pre-patch code results in erroring out when the call to CoCreateInstance succeeds (which is wrong), while js ("jump if signed", i.e., jump if negative) in post-patch code errors out when the call fails.

Our Micropatch

Our patch for legacy Windows systems - Windows 7, Server 2008 R2, and several Window 10 versions - was logically identical to Microsoft's (the corrected one, of course). This video shows it in action.

 

 

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, visit our Help Center. 

We'd like to thank Peter Girnus with the ZDI for sharing vulnerability details, which allowed us to reproduce it and create a micropatch. We also encourage all security researchers who want to see their vulnerabilities patched to share them with us or alert us about their publications.

Did you know 0patch will security-adopt Windows 10 as well as Office 2016 and Office 2019 when they all go out of support in October 2025, allowing you to keep using them for at least 5 more years? Read more about it here. 

Analysis was performed and written by our reverse engineering and patching expert Ziga Sumenjak.

Micropatches Released for Microsoft Outlook Remote Code Execution Vulnerability (CVE-2025-21357)

January 2025 Windows updates brought a fix for CVE-2025-21357, a remote code execution vulnerability in Microsoft Outlook. This vulnerability allows an attacker with access to the Exchange server with user's credentials to execute arbitrary code on user's computer when the user connects to Exchange with Outlook.

The vulnerability was reported to Microsoft by security researchers Jeongmin Choi, JongGeon KIM, Kiyeon Jeong, JunHyuk Im, and SeungYun LEE with bObffice (BOB13th), and Michael Gorelik and Arnold Osipov with Morphisec.

Michael Gorelik with Morphisec privately shared details and POC with us,which allowed us to reproduce the issue and create our own patches for security-adopted Outlook versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

Microsoft patched this issue by initializing a previously uninitialized variable in the affected data structure to 0, preventing a previously possible invalid pointer dereference.

 

Our Micropatch

Our patch is logically equivalent to Microsoft's.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Microsoft Office with all available Windows Updates installed:

1. Microsoft Office 2010 - fully updated
2. Microsoft Office 2013 - fully updated
   

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Michael Gorelik with Morphisec for privately sharing details and POC with us, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 as well as Office 2016 and Office 2019 when they all go out of support in October 2025, allowing you to keep using them for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Micropatches Released for Active Directory Certificate Services Elevation of Privilege Vulnerability (CVE-2024-49019)

November 2024 Windows updates brought a fix for CVE-2024-49019, a privilege escalation vulnerability allowing, under specific conditions, a domain user to create a certificate for another domain user, e.g., domain administrator - and then use it for logging in as that user.

The vulnerability was reported to Microsoft by security researchers Lou Scicchitano, Scot Berner, and Justin Bollinger with TrustedSec.

Justin then published a detailed article on this vulnerability,which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

Microsoft patched this by adding a new function call that disables the Extended Key Usage attribute.

 

Our Micropatch

Our patch performs the same operation with additional optimizations to logic and code flow.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows Server 2008 R2 - - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
2. Windows Server 2012 - fully updated without ESU, with ESU 1
3. Windows Server 2012 R2 - fully updated without ESU, with ESU 1
   

 

Only Windows Servers are affected by this issue.

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank researchers  Lou Scicchitano, Scot Berner, and Justin Bollinger with TrustedSec for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Micropatches Released for Windows OLE Remote Code Execution (CVE-2025-21298)

  

January 2025 Windows updates brought a fix for CVE-2025-21298, a memory corruption issue in Windows OLE data processing that can be exploited by a malicious Word document or a malicious email read in Outlook to execute arbitrary code on user's computer. (Probably also in multiple other ways, but these would be the obvious attack scenarios.)

The vulnerability was reported to Microsoft by security researchers Jmini, Rotiple, D4m0n with Trend Micro Zero Day Initiative.

Subsequently, security researcher Miloš published their analysis and POC of this vulnerability,which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

The root cause of this issue is in function UtOlePresStmToContentsStm free'ing a stream object, but then storing the just free'd pointer which subsequently gets used again.

Microsoft patched this issue by overwriting the free's stream pointer with NULL, preventing its subsequent use.

 

Our Micropatch

Our patch does the exact same thing as Microsoft's.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows 11 v21H2 - fully updated
2. Windows 10 v21H2 - fully updated
3. Windows 10 v21H1 - fully updated
4. Windows 10 v20H2 - fully updated
5. Windows 10 v2004 - fully updated
6. Windows 10 v1909 - fully updated
7. Windows 10 v1809 - fully updated
8. Windows 10 v1803 - fully updated
9. Windows 7 - fully updated without ESU, with ESU 1, ESU 2 or ESU 3
10. Windows Server 2008 R2 - - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
11. Windows Server 2012 - fully updated without ESU, with ESU 1
12. Windows Server 2012 R2 - fully updated without ESU, with ESU 1
    

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank researchers Jmini, Rotiple, and D4m0n for sharing their finding with Microsoft, and security researcher Miloš for publishing their analysis and POC, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Micropatches Released for Windows Task Scheduler Elevation of Privilege Vulnerability (CVE-2024-49039)

 

November 2024 Windows updates brought a fix for CVE-2024-49039, a local privilege escalation issue allowing low-integrity code running on the computer to execute arbitrary medium-integrity code as the same user. This can be useful for escaping low-integrity sandboxes such as those in modern web browsers (such as Mozilla Firefox) and document readers.

In short: if you are malicious code executed with low integrity, you create a scheduled task to be executed as you, then Task Scheduler executes this task with default (medium) integrity. Sandbox escaped.

The vulnerability was reported to Microsoft by the Mozilla Security Team, and by Vlad Stolyarov and Bahare Sabouri of Google's Threat Analysis Group.

Subsequently, security researcher je5442804 published their analysis and POC of this vulnerability,which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

Microsoft patched this issue with new flags on the Task Scheduler RPC interface which prevents a low-integrity process from accessing it.

 

Our Micropatch

We decided to rather patch the TaskSchedulerCreateSchedule function, which is used to create the scheduled task. There, we check the requesting process's integrity before creating the task and deny the creation if the process has low integrity.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows 11 v21H2 - fully updated
2. Windows 10 v21H2 - fully updated
3. Windows 10 v21H1 - fully updated
4. Windows 10 v20H2 - fully updated
5. Windows 10 v2004 - fully updated
6. Windows 10 v1909 - fully updated
7. Windows 10 v1809 - fully updated
8. Windows 10 v1803 - fully updated

The vulnerability was first introduced with Windows 10, therefore it does not exist on Windows 7, Windows Server 2008 and Windows Server 2012  (so no patches were needed there).

 Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank je5442804 for sharing their analysis and POC, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.