Microsoft Windows NTLM Spoofing Vulnerability Allowing Unauthorized Credential Disclosure

A spoofing vulnerability has been identified in Microsoft Windows NTLM implementation, specifically related to the handling of '.library-ms' files. When these files are previewed or extracted, they can inadvertently disclose NTLMv2 credentials to a malicious SMB server. This exposure could lead to credential theft and further attacks. The vulnerability affects several versions of Windows, including Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows 10 Version 1607.

Impact

Exploitation of this vulnerability could allow an unauthorized attacker to spoof credentials over the network, potentially leading to unauthorized access or actions based on the spoofed identity.

Remediation

Users are advised to install the latest official security updates from Microsoft. For those unable to immediately apply patches, a temporary mitigation script is available that configures NTLM traffic restrictions and enforces SMB signing requirements. This script can be run in an elevated PowerShell session.