Micropatches Released for SCF File NTLM Hash Disclosure Vulnerability (No CVE)

 

While we're on the subject of NTLM hash leaking vulnerabilities [1][2], we found this widely known issue of the same type that was patched by Microsoft at various points in time but never seemed to have received CVE IDs.

The issue is in SCF files with the IconFile property being a network share path like \\<IP_address>\file leaking user's NTLM hash to the network location when the user simply views a folder with such SCF file.

This issue has been documented and mentioned many times in the past, but the oldest mention we could find was this article by Bosko Stankovic of DefenseCode written in May 2017. (The DefenseCode domain is no longer active, so the link is to an archived article on the Internet Archive.)

The vulnerability has long been patched on Windows 10 machines and Windows Servers 2019 and higher, while Windows 7, Windows 8, and Windows Server 2008-2016 only received a patch in August 2024.

 

Microsoft's Patch

Microsoft patched this issue by calling MapUrlToZone to determine the security zone of the icon file, then deciding based on that whether or not to attempt to load the icon.

 

Our Micropatch

Our patch is similar to Microsoft's.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows 7 - fully updated without ESU, or with ESU 1, ESU 2 or ESU 3
2. Windows Server 2012, Server 2012 R2 - fully updated without ESU
3. Windows Server 2008 R2 - fully updated without ESU, or with ESU 1, ESU 2 or ESU 3

 

Newer versions of  Windows Server 2008 (ESU 4) and Windows Server 2012 (ESU 1) do not need our patch as they already have Microsoft's installed.

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Bosko Stankovic of DefenseCode for sharing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.