Two security vulnerabilities in Microsoft's NTLM authentication protocol allow attackers to bypass the MIC (Message Integrity Code) protection and downgrade NTLM security features leading to full domain compromise.
Microsoft patched the two NTLM flaws and issued security advisories as part of the
Patch Tuesday security updates issued yesterday after Preempt’s disclosure.
Preempt researchers
Yaron Zinar and
Marina Simakov discovered that attackers can exploit these flaws as part of NTLM relay attacks that may, in some cases, "cause full domain compromise of a network," with all Active Directory customers with default configurations being exposed.
The Windows NT (New Technology) LAN Manager (NTLM) authentication protocol is used for client/server authentication purposes to authenticate remote users, as well as to provide session security when requested by app protocols.
