Name of the Vulnerable Software and Affected Versions:

Windows 10 Version 1809 version 10.0.17763.0

Description:

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. This occurs when a specially crafted .library-ms file containing an SMB path is compressed within a RAR/ZIP archive and subsequently extracted. Windows Explorer automatically parses the contents of this file, leading to NTLM hash disclosure. The user does not need to open or execute the file; simply extracting it is enough to trigger the vulnerability. This issue is actively being exploited in the wild and has potentially been offered for sale on the darknet.

Recommendations:

Update Windows to the latest version to patch the vulnerability.

As a temporary workaround, consider disabling the automatic parsing of .library-ms files in Windows Explorer to prevent NTLM hash disclosure.

Restrict access to SMB servers and limit the use of RAR/ZIP archives from untrusted sources to minimize the risk of exploitation.