Tag Archives: NTLM

Mitigating Microsoft’s June 2019 NTLM Vulnerabilities

Microsoft issued an update yesterday to resolve 2 vulnerabilities within Windows that can be used to allow an attacker to authenticate and run code remotely.

TL DR: Install the updates for CVE-2019-1019 and CVE-2019-1040 and follow the recommend guidelines in Preempt’s blog post:

If attackers exploited these issues; what would the result be?
Preempt responsibly disclosed 2 vulnerabilities as a result of 3 logic flaws in NTLM to Microsoft. As a result of previous disclosures Microsoft added the Message Integrity Code (MIC) field designed to guarantee that attackers cannot tamper with NTLM messages in any way. Preempt bypassed this allowing them to change NTLM authentication fields, reducing security.

Next; Server Message Block (SMB) Session Signing was bypassed by Preempt allowing attackers to relay NTLM authentication messages and establish SMB and DCE/RPC sessions. Enhanced Protection for Authentication (EPA) was bypassed allowing the altering of “NTLM messages to generate legitimate channel binding information.” Finally, their bypasses could allow “attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution.” This potentially could lead to the entire Active Directory domain becoming compromised by moving laterally from system to system.

How can an organisation or a consumer/end-user defend against these attacks/bypasses?
Install the updates for CVE-2019-1019 and CVE-2019-1040:

Moreover; Preempt’s blog post provides the necessary recommendations to fully mitigate these issues.


For reference I have linked to how to enable the following mitigations:

Enforce SMB Signing

Block NTLMv1
Part 1

Further information link

Enforce LDAP Signing

Enforce EPA:
Part 1

Part 2


Thank you.

July 2017 Security Updates Summary

Earlier today as expected Microsoft and Adobe made available their monthly scheduled security updates.

Microsoft resolved a relatively large number of vulnerabilities at 54 in total more formally known as CVEs (defined). However it’s less than last month at 94. These are detailed within Microsoft’s new Security Updates Guide.

After 2 months of updates being released for versions of Windows which were no longer supported, this month is a return to the usual expected patches.

At the time of writing there are no Known Issues for this month’s Microsoft updates. The IT Pro Patch Tuesday blog which I routinely referenced is no longer available.


Adobe made available just two security bulletins for the following products:

Adobe Connect (priority 3, 2x important and 1x moderate CVE)

Adobe Flash (priority 1, 1x critical, 2x important CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (the link includes “April” in the URL but it is not a typo) as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.


You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):


A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

For this month’s Microsoft updates, I will prioritize the order of installation for you below:
Critical severity:

Windows Search

Microsoft Edge and Internet Explorer

NT LAN Manager Elevation of privilege (CVE-2017-8563)(Corporate users: please ensure to set a more secure LDAP setting as per this knowledge base article)

Windows Explorer (CVE-2017-8463)

Please install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As noted in this new blog post, parts of EMET are to become available in the Creator’s Fall Update for Windows 10 set for release in September 2017.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Note: This post marks the 300th post on this blog. Thank you very much to my readers and here’s to the next 300!

Update:8th August 2017:

Nvidia Geforce Drivers:
This update applies to Linux, FreeBSD, Solaris and Windows and resolves up to 9 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.70 in early July. It contains 1 security fix and 2 non-security bug fixes  (see below).  It is downloadable from here.

Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory, even a name we missed when we thought we’d fixed this in 0.69. See vuln-indirect-dll-hijack-3.

If you use Putty, please update it to version 0.70. Thank you.