Older Windows versions remain vulnerable to this attack

Microsoft recently fixed a critical vulnerability that allowed any hacker to gain login authentication of a Windows system without any user interaction. The hack was done by stealing Windows NTLM hash passwords.

The hack can be carried out only on those systems whose password protection sharing has been disabled. Users in enterprise environments, schools, and other public networks often share folders without a password due to convenience, leaving many systems open for attacks.

To carry out the attack successfully, the attacker is required to place a malicious SCF (Shell Command) file inside publicly accessible Windows folders.

Once the file has been placed inside the folder, it automatically executes (due to a vulnerability) without any user interaction, collects the target’s NTLM password hash, and sends it to an attacker-configured server. Using publicly available software, an attacker could crack the NTLM password hash and later gain access to the user’s computer.

The hack was discovered by a security researcher (blog linked below) who reported the bug to Microsoft back in April.

* Microsoft fixed the issue with the October Patch Tuesday via the ADV170014 security advisory.
* The ADV170014 is an optional patch, installing it is highly recommended.
* The patch is only for Windows 10 and Windows Server 2016 users.

Older Windows versions remain vulnerable to this attack because the registry modifications are not compatible with older versions of the Windows Firewall.