Unpatched Windows Search URI Vulnerability Exposes NTLMv2 Hashes to Attackers
An unpatched vulnerability in Windows Search URI handler has been disclosed, posing a significant risk to user data. This issue, similar to the recently patched CVE-2026-33829, could allow attackers to steal a user's NTLMv2 hash, a critical component for authentication. The vulnerability was first identified by Huntress and leverages the 'search:' URI handler to trigger NTLM authentication and expose the victim's Net-NTLMv2 hash.
The attack vector involves crafting a link that, when clicked, induces the computer to connect to an SMB server controlled by the attacker. This connection reveals the user's NTLMv2 hash, which can then be used for unauthorized access. The use of the 'crumb' parameter, as documented by Varonis, further highlights the potential for hash theft. Interestingly, the vulnerability shares similarities with CVE-2023-35636, which was also related to NTLM hash leakage.
Microsoft's decision not to patch the issue, citing severity criteria, has raised concerns. In the absence of a fix, security experts recommend implementing defensive measures such as blocking outbound SMB access, enforcing SMB signing, and disabling NTLM where possible. These steps are crucial to mitigate the risk of relay attacks and unauthorized access.
This vulnerability underscores the ongoing challenges in securing Windows systems against sophisticated attacks. As cybersecurity threats evolve, organizations must remain vigilant and proactive in their approach to patch management and network security.
What makes this particularly intriguing is the similarity between this vulnerability and others, suggesting a pattern in attack strategies. It also highlights the importance of timely patching and the potential consequences of ignoring security advisories. The fact that Microsoft declined to address the issue despite responsible disclosure raises questions about the effectiveness of their vulnerability management process.
In my opinion, this incident serves as a stark reminder of the need for comprehensive security strategies that go beyond patching. It also emphasizes the importance of user education and the potential impact of seemingly minor vulnerabilities on overall system security.
