On June 12, 2019, Beijing time, Microsoft released security patches for the Windows NTLM tampering vulnerability (CVE-2019-1040), which exists in Windows operating systems and allows attackers to bypass the NTLM MIC (Message Integrity Check) protection.<\/p>\n
NTLM Relay is an attack technique used in domain environments. To counter this type of attacks, Windows employs a signing mechanism. To ensure that NTLM messages are not tampered with by attackers in the negotiation phase, Windows appends a field, that is, MIC, in the NTLM authentication message. However, the said vulnerability could render this field useless, thus allowing attackers to bypass the MIC protection.<\/p>\n
Reference:<\/p>\n
https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2019-1040<\/p>\n
2 Scope of Impact<\/strong><\/h2>\n\n- Affected Versions<\/li>\n
- Windows 10 for 32-bit Systems<\/li>\n
- Windows 10 for x64-based Systems<\/li>\n
- Windows 10 Version 1607 for 32-bit Systems<\/li>\n
- Windows 10 Version 1607 for x64-based Systems<\/li>\n
- Windows 10 Version 1703 for 32-bit Systems<\/li>\n
- Windows 10 Version 1703 for x64-based Systems<\/li>\n
- Windows 10 Version 1709 for 32-bit Systems<\/li>\n
- Windows 10 Version 1709 for ARM64-based Systems<\/li>\n
- Windows 10 Version 1709 for x64-based Systems<\/li>\n
- Windows 10 Version 1803 for 32-bit Systems<\/li>\n
- Windows 10 Version 1803 for ARM64-based Systems<\/li>\n
- Windows 10 Version 1803 for x64-based Systems<\/li>\n
- Windows 10 Version 1809 for 32-bit Systems<\/li>\n
- Windows 10 Version 1809 for ARM64-based Systems<\/li>\n
- Windows 10 Version 1809 for x64-based Systems<\/li>\n
- Windows 10 Version 1903 for 32-bit Systems<\/li>\n
- Windows 10 Version 1903 for ARM64-based Systems<\/li>\n
- Windows 10 Version 1903 for x64-based Systems<\/li>\n
- Windows 7 for 32-bit Systems Service Pack 1<\/li>\n
- Windows 7 for x64-based Systems Service Pack 1<\/li>\n
- Windows 8.1 for 32-bit systems<\/li>\n
- Windows 8.1 for x64-based systems<\/li>\n
- Windows RT 8.1<\/li>\n
- Windows Server 2008 for 32-bit Systems Service Pack 2<\/li>\n
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)<\/li>\n
- Windows Server 2008 for Itanium-Based Systems Service Pack 2<\/li>\n
- Windows Server 2008 for x64-based Systems Service Pack 2<\/li>\n
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)<\/li>\n
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1<\/li>\n
- Windows Server 2008 R2 for x64-based Systems Service Pack 1<\/li>\n
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)<\/li>\n
- Windows Server 2012<\/li>\n
- Windows Server 2012 (Server Core installation)<\/li>\n
- Windows Server 2012 R2<\/li>\n
- Windows Server 2012 R2 (Server Core installation)<\/li>\n
- Windows Server 2016<\/li>\n
- Windows Server 2016 (Server Core installation)<\/li>\n
- Windows Server 2019<\/li>\n
- Windows Server 2019 (Server Core installation)<\/li>\n
- Windows Server, version 1803 (Server Core Installation)<\/li>\n
- Windows Server, version 1903 (Server Core installation)<\/li>\n<\/ul>\n
3 Detection Method<\/strong><\/h2>\nAll systems that are within the affected scope and not installed with the latest patches are vulnerable. Users can check whether the current system has been patched and determine whether it is vulnerable accordingly. The procedure is as follows:<\/p>\n
\n- Step 1 <\/strong>Press Win + R<\/strong>, type control<\/strong> in the Run<\/strong> window, and press Enter<\/strong>.<\/li>\n<\/ul>\n
![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/06\/0617-1.jpg\")
<\/a><\/p>\n\n- Step 2 <\/strong>In the Control Panel<\/strong> window, click Programs<\/strong>.<\/li>\n<\/ul>\n
![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/06\/0617-2.jpg\")
<\/a><\/p>\n\n- Step 3 <\/strong>Click View installed updates<\/strong> under Programs and Features<\/strong>.<\/li>\n<\/ul>\n
![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/06\/0617-3.jpg\")
<\/a><\/p>\n\n- Step 4 <\/strong>In the text box in the upper-right corner, type the KB number. If no program is displayed, the current system is vulnerable. For a detailed list of KB numbers for different operating system versions, see appendix A Official Patch Download Links.<\/li>\n<\/ul>\n
![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/06\/0617-4.jpg\")
<\/a><\/p>\n—-End<\/p>\n
4 Vulnerability Protection<\/strong><\/h2>\n4.1 Official Patches<\/strong><\/h3>\nMicrosoft has released security updates to fix this vulnerability. Users are advised to download and install them as soon as possible. There are three methods to obtain and install patches: intranet WSUS, Microsoft Update service available on Microsoft’s official website, and offline installation.<\/p>\n
Note: To immediately start Windows Update, users can type wuauclt.exe \/detectnow<\/strong> at the command line prompt.<\/p>\n\n- Intranet WSUS<\/li>\n<\/ul>\n
Applicability: This method is applicable to computers that are in the Active Directory domain where the WSUS server is available, or computers that have access to the intranet WSUS service.<\/p>\n
The system automatically downloads new security patches in a regular manner and prompts users to install them. What users need to do is install these patches as prompted.<\/p>\n
To make a patch take effect immediately, users can restart their computers as soon as the installation is complete.<\/p>\n
\n- Microsoft Update Service Available on Microsoft’s Official Website<\/li>\n<\/ul>\n
Applicability: This method is applicable to computers that can connect to the Internet, but have no access to the intranet WSUS service, including those with the intranet WSUS service disabled and those that have this service enabled, but have no access to the intranet.<\/p>\n
If the intranet WSUS service is not enabled on computers, users should first enable it and then install patches and restart the computer as prompted.<\/p>\n
If computers have the intranet WSUS service enabled, but do not connect to the intranet, users should do as follows: Choose Start > All Programs > Windows Update<\/strong>, click Check online for updates from Microsoft Update<\/strong>, and then do as prompted.<\/p>\n\n- Offline Installation<\/li>\n<\/ul>\n
With this method, users need to first download the latest patch for the current system, and then double-click the installation package to install it. For download links, see appendix A Official Patch Download Links.<\/p>\n
\n- Official Patch Download Links<\/li>\n<\/ul>\n
3 Detection Method<\/strong><\/h2>\nAll systems that are within the affected scope and not installed with the latest patches are vulnerable. Users can check whether the current system has been patched and determine whether it is vulnerable accordingly. The procedure is as follows:<\/p>\n
\n- Step 1 <\/strong>Press Win + R<\/strong>, type control<\/strong> in the Run<\/strong> window, and press Enter<\/strong>.<\/li>\n<\/ul>\n
<\/a><\/p>\n\n- Step 2 <\/strong>In the Control Panel<\/strong> window, click Programs<\/strong>.<\/li>\n<\/ul>\n
<\/a><\/p>\n\n- Step 3 <\/strong>Click View installed updates<\/strong> under Programs and Features<\/strong>.<\/li>\n<\/ul>\n
<\/a><\/p>\n\n- Step 4 <\/strong>In the text box in the upper-right corner, type the KB number. If no program is displayed, the current system is vulnerable. For a detailed list of KB numbers for different operating system versions, see appendix A Official Patch Download Links.<\/li>\n<\/ul>\n
<\/a><\/p>\n—-End<\/p>\n
4 Vulnerability Protection<\/strong><\/h2>\n4.1 Official Patches<\/strong><\/h3>\nMicrosoft has released security updates to fix this vulnerability. Users are advised to download and install them as soon as possible. There are three methods to obtain and install patches: intranet WSUS, Microsoft Update service available on Microsoft’s official website, and offline installation.<\/p>\n
Note: To immediately start Windows Update, users can type wuauclt.exe \/detectnow<\/strong> at the command line prompt.<\/p>\n\n- Intranet WSUS<\/li>\n<\/ul>\n
Applicability: This method is applicable to computers that are in the Active Directory domain where the WSUS server is available, or computers that have access to the intranet WSUS service.<\/p>\n
The system automatically downloads new security patches in a regular manner and prompts users to install them. What users need to do is install these patches as prompted.<\/p>\n
To make a patch take effect immediately, users can restart their computers as soon as the installation is complete.<\/p>\n
\n- Microsoft Update Service Available on Microsoft’s Official Website<\/li>\n<\/ul>\n
Applicability: This method is applicable to computers that can connect to the Internet, but have no access to the intranet WSUS service, including those with the intranet WSUS service disabled and those that have this service enabled, but have no access to the intranet.<\/p>\n
If the intranet WSUS service is not enabled on computers, users should first enable it and then install patches and restart the computer as prompted.<\/p>\n
If computers have the intranet WSUS service enabled, but do not connect to the intranet, users should do as follows: Choose Start > All Programs > Windows Update<\/strong>, click Check online for updates from Microsoft Update<\/strong>, and then do as prompted.<\/p>\n\n- Offline Installation<\/li>\n<\/ul>\n
With this method, users need to first download the latest patch for the current system, and then double-click the installation package to install it. For download links, see appendix A Official Patch Download Links.<\/p>\n
\n- Official Patch Download Links<\/li>\n<\/ul>\n
—-End<\/p>\n Microsoft has released security updates to fix this vulnerability. Users are advised to download and install them as soon as possible. There are three methods to obtain and install patches: intranet WSUS, Microsoft Update service available on Microsoft’s official website, and offline installation.<\/p>\n Note: To immediately start Windows Update, users can type wuauclt.exe \/detectnow<\/strong> at the command line prompt.<\/p>\n Applicability: This method is applicable to computers that are in the Active Directory domain where the WSUS server is available, or computers that have access to the intranet WSUS service.<\/p>\n The system automatically downloads new security patches in a regular manner and prompts users to install them. What users need to do is install these patches as prompted.<\/p>\n To make a patch take effect immediately, users can restart their computers as soon as the installation is complete.<\/p>\n Applicability: This method is applicable to computers that can connect to the Internet, but have no access to the intranet WSUS service, including those with the intranet WSUS service disabled and those that have this service enabled, but have no access to the intranet.<\/p>\n If the intranet WSUS service is not enabled on computers, users should first enable it and then install patches and restart the computer as prompted.<\/p>\n If computers have the intranet WSUS service enabled, but do not connect to the intranet, users should do as follows: Choose Start > All Programs > Windows Update<\/strong>, click Check online for updates from Microsoft Update<\/strong>, and then do as prompted.<\/p>\n With this method, users need to first download the latest patch for the current system, and then double-click the installation package to install it. For download links, see appendix A Official Patch Download Links.<\/p>\n<\/a><\/p>\n\n
<\/a><\/p>\n\n
<\/a><\/p>\n\n
<\/a><\/p>\n4 Vulnerability Protection<\/strong><\/h2>\n
4.1 Official Patches<\/strong><\/h3>\n
\n
\n
\n
\n