bleepingcomputer[.]com/news/security/new-windows-zero-day-exposes-ntlm-credentials-gets-unofficial-patch/
It's hard to say right now how serious this is for home users. On the one hand it's a zero click vulnerability -- the exploit only requires you see the malware file in Windows Explorer, rather than having to click anything. On the other, the exploit steals NTLM credentials, which are Much more important in a corporate IT network environment, there's no 2nd or 3rd party evaluation yet, and the info on the discovery & proposed cure for this vulnerability was released as self-promotion for the 0patch company. 0patch [0patch[.]com] is a security services company focused on patching Windows vulnerabilities. Windows is not open source, so modifying Windows files without Microsoft's unlikely approval would be a legal minefield. What 0patch does instead is apply the necessary patches to files once they've been read into memory prior to them being used or executed. This is done by their Agent software that you install, and the patching doesn't alter the files on disk, or require a system restart. I did a quick Google and did not see an objective review of 0patch & their methods in half a dozen pages of search results. 0patch is trying hard to build awareness of the company as they plan on continuing to patch Win10 after it reaches EOL next year.
NTLM itself is an old protocol for establishing a secure login connection that Microsoft includes in Windows purely for backwards compatibility -- they plan on eliminating it completely in the future. The only use home users likely have for NTLM *may be* workgroups -- on a biz / corp. network it may be used to log into domain servers. In Win11 Pro you can fire up the Group Policy Editor -- either search in the Start Menu or double click the icon in Windows Tools -- and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options, and scroll down the right side window to the NTLM settings, where you can turn on Auditing &/or deny access to NTLM. Auditing might be used to verify if anything you do uses NTLM, so you don't break something turning it off. Or you can just turn it off, and if you have problems turn it back on. If you want to take an active approach, I recorded the following registry changes for the different options -- copy/paste one of the following in a new text file, name it [SomeName].reg, and double click the .reg file to make those changes to Windows registry.
To turn auditing on:
-------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"AuditReceivingNTLMTraffic"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"AuditNTLMInDomain"=dword:00000007
--------
To undo that change:
--------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"AuditReceivingNTLMTraffic"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"AuditNTLMInDomain"=-
-------
Turn NTLM off [deny access]:
-------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"RestrictReceivingNTLMTraffic"=dword:00000002
"RestrictSendingNTLMTraffic"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"RestrictNTLMInDomain"=dword:00000007
-------
To undo that change [allow access]:
--------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"RestrictReceivingNTLMTraffic"=-
"RestrictSendingNTLMTraffic"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"RestrictNTLMInDomain"=-
--------