Micropatches Released for NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451)

 

November 2024 Windows updates brought a fix for CVE-2024-43451, an NTLM hash disclosure vulnerability that allows an attacker to obtain user's Net-NTLM hash when the user right-clicks, deletes or moves a malicious .url file to another folder.

The vulnerability was reported to Microsoft by Israel Yeshurun with ClearSky Cyber Security, who subsequently also published a detailed report. The report allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

Microsoft patched this issue by replacing the IECreateFromPathCPWithBCW function with a new version that has an updated check for network paths. Multiple new tests are performed including calls to MapUrlToZone and IsFileURLW. They also added checks for special characters in the path, but all these additional checks were done to exclude some network paths (which Microsoft deemed legitimate) from being blocked.

 

Our Micropatch

As we could imagine no important real-world use of  letting .url files to automatically load resources from the Internet, we blocked this feature in its entirety by calling MapUrlToZone on the provided file path and only allowing requests from Trusted Sites zone, Local Intranet zone and Local Computer zone. This blocks all automatically triggered Internet resource requests from .url shortcut files without limiting these files' functionality.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows 11 v21H2 - fully updated
2. Windows 10 v21H2 - fully updated
3. Windows 10 v21H1 - fully updated
4. Windows 10 v20H2 - fully updated
5. Windows 10 v2004 - fully updated
6. Windows 10 v1909 - fully updated
7. Windows 10 v1809 - fully updated
8. Windows 10 v1803 - fully updated
9. Windows 7 - fully updated without ESU, or with ESU 1, ESU 2 or ESU 3
10. Windows Server 2012, Server 2012 R2 - fully updated without ESU, or with ESU1
    
11. Windows Server 2008 R2 - fully updated without ESU, or with ESU 1, ESU 2, ESU 3 or ESU 4
    

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Israel Yeshurun with ClearSky Cyber Security for sharing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.