Coerced authentication is any method that allows an attacker to force a target system to authenticate against attacker's computer and reveal its credentials in the process. The most useful form of coerced authentication on Windows is arguably one that forces a remote Windows computer to send its machine (system) account's NTLM credentials to attacker, which can then be relayed to another computer.
Microsoft does not consider "coerced authentication" methods vulnerabilities worth fixing and rather suggests several options for mitigating attacks, including disabling NTLM. For various, mostly legacy-related reasons, many large organizations can't implement these options.
That is why we at 0patch have decided to provide our own patches for known coerced authentication issues so that both legacy Windows systems like Windows 7 and Server 2008 R2 and the latest Windows 11 and Server 2025 that are using NTLM get to be properly protected. So far we have been providing (and dutifully porting to new versions of executable files) patches for these coerced authentication issues:
We are now adding a fourth coerced authentication issue to the list: "WSPCoerce". WSPCoerce was discovered by Simon Lemire who also published a WSPCoerce proof-of-concept tool. The tool sends a request to the Windows Search Service running by default on any Windows workstation (but not on servers), causing it to read a shared folder on attacker's computer - revealing machine account's NTLM credentials in the process.
Our patch adds a security check to the processing of affected search requests such that a remote machine can only request a search of a shared folder on the same remote machine (the target machine), and not on some other machine in the network. This preserves search and indexing functionality, but prevents coerced authentication.
Micropatch Availability
Micropatches were written for:
Legacy Windows versions:
- Windows 11 v21H2 - fully updated
- Windows 10 v21H2 - fully updated
- Windows 10 v21H1 - fully updated
- Windows 10 v20H2 - fully updated
- Windows 10 v2004 - fully updated
- Windows 10 v1909 - fully updated
- Windows 10 v1809 - fully updated
- Windows 10 v1803 - fully updated
- Windows 7 - fully updated without ESU, with ESU 1, ESU 2 or ESU 3
- Windows Server 2012 - fully updated without ESU or with ESU 1
- Windows Server 2012 R2 - fully updated without ESU or with ESU 1
- Windows Server 2008 R2 - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
Windows versions still receiving Windows Updates:
- Windows 11 v24H2 - fully updated
- Windows 11 v23H2 - fully updated
- Windows 11 v22H2 - fully updated
- Windows 10 v22H2 - fully updated
- Windows Server 2025 - fully updated
- Windows Server 2022 - fully updated
- Windows Server 2019 - fully updated
- Windows Server 2016 - fully updated
- Windows Server 2012 fully updated with ESU 2
- Windows Server 2012 R2 fully updated with ESU 2
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you're using Windows that aren't
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won't be exploited on your computers - and you won't
even have to know or care about these things.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
We'd like to thank Simon Lemire for sharing their finding and their tool, which allowed us to reproduce the issue and create patches for our users.
Did
you know 0patch will security-adopt Windows 10 when it goes out of
support in October 2025, allowing you to keep using it for at least 5
more years? Read more about it here.
To learn more about 0patch, please visit our Help Center.
