A recent cybersecurity discovery has uncovered a case of “forced authentication” that exposes a Windows user’s NT LAN Manager (NTLM) tokens [3] [5]. This exploit involves tricking a victim into opening a specially crafted Microsoft Access file [1] [2] [3] [4] [5], allowing attackers to extract and transmit the user’s NTLM tokens.
Description
Attackers take advantage of a feature in the Microsoft Access database management system that enables users to link to external data sources [3] [6], such as a remote SQL server. By embedding a remote SQL Server database link within an MS Word document using Object Linking and Embedding (OLE) [4], hackers exploit the linked table feature in Microsoft Access [6]. This attack can be executed through various Office file formats [6], including .accdb and .mdb files [2], as well as other common Office file types like .rtf [5]. Through this method, attackers can automatically leak the user’s NTLM tokens to an attacker-controlled server via any TCP port [5].
Microsoft has responded to this vulnerability by releasing mitigations for the latest version of Office/Access, while unofficial fixes are available for older versions [6]. It is crucial for users to remain vigilant against emerging cyber threats and regularly update their software to ensure optimal security. Additionally, Microsoft has announced plans to discontinue the use of NTLM in Windows 11 in favor of Kerberos [1], a move aimed at enhancing security.
Conclusion
This discovery highlights the importance of addressing emerging cyber threats promptly. Microsoft’s release of mitigations for the latest version of Office/Access and the availability of unofficial fixes for older versions provide some relief. However, it is essential for users to stay proactive in updating their software to maintain optimal security. Furthermore, Microsoft’s decision to discontinue the use of NTLM in Windows 11 in favor of Kerberos demonstrates their commitment to enhancing security measures.
References
[1] https://thehackernews.com/2023/11/hackers-can-exploit-forced.html
[2] https://ourfuns.com/index.php/2023/11/28/unveiling-the-vulnerability-understanding-the-threat-of-forced-authentication-in-windows-ntlm-tokens/
[3] https://threatnote.com/infosec-news/from-the-hacker-news-hackers-can-exploit-forced-authentication-to-steal-windows-ntlm-tokens/
[4] https://ciso2ciso.com/hackers-can-exploit-forced-authentication-to-steal-windows-ntlm-tokens-sourcethehackernews-com/
[5] https://www.443news.com/2023/11/hackers-can-exploit-forced-authentication-to-steal-windows-ntlm-tokens/
[6] https://isp.page/news/hackers-can-exploit-forced-authentication-to-steal-windows-ntlm-tokens-2/