Zero‑Day NTLM Response Disclosure in Microsoft Office URI Handler (ZDI‑26‑293)
What Happened – A newly disclosed vulnerability (ZDI‑26‑293 / ZDI‑CAN‑28651) in Microsoft Office’s handling of URI schemes allows a remote attacker to harvest NTLM response hashes when a user opens a malicious document or visits a crafted web page. The flaw stems from insufficient input validation of the Office URI handler.
Why It Matters for TPRM –
- NTLM hashes can be relayed or cracked, enabling lateral movement into downstream vendors.
- Office is ubiquitous across enterprises; a single compromised user can expose credential material for many third‑party services.
- The issue is a zero‑day with no vendor‑issued patch, increasing exposure window.
Who Is Affected – All organizations that deploy Microsoft Office desktop applications, spanning finance, healthcare, government, and SaaS providers.
Recommended Actions –
- Immediately restrict or disable Office URI handling via Group Policy.
- Enforce multi‑factor authentication for services that accept NTLM authentication.
- Monitor for anomalous NTLM traffic and implement network‑level detection of credential replay.
Technical Notes – The vulnerability is triggered by user interaction (malicious link or file) and results in disclosure of NTLM response data (low confidentiality impact). CVSS 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N). No public exploit code is known, but the attack surface is broad due to Office’s prevalence. Source: Zero Day Initiative advisory