Windows Themes Zero-Day Vulnerability Exposes NTLM Credentials to Theft • The Register

Published:

A New Zero-Day Vulnerability: Windows Themes Spoofing NTLM Credentials

In the ever-evolving landscape of cybersecurity, vulnerabilities can emerge unexpectedly, posing significant risks to users and organizations alike. Recently, a new zero-day vulnerability has been identified that exploits Windows Themes to steal NTLM (New Technology LAN Manager) credentials. This article delves into the details of this vulnerability, its implications, and the swift response from Acros Security with a micropatch to mitigate the threat.

Understanding the Vulnerability

The zero-day bug in question allows attackers to exploit a flaw in Windows Themes, enabling them to capture NTLM credentials from unsuspecting users. NTLM is a suite of Microsoft security protocols used for authenticating users and computers within a network. The implications of this vulnerability are severe, as it could allow malicious actors to gain unauthorized access to sensitive information and systems.

The Discovery

The vulnerability was initially addressed in January 2024 when Microsoft released a patch for CVE-2024-21320. However, Akamai researcher Tomer Peled discovered that the patch was insufficient. By sending a malicious theme file and tricking users into manipulating it—without necessarily opening the file—attackers could still force Windows to send authenticated network requests containing NTLM credentials to remote hosts. This loophole led to the identification of CVE-2024-38030, a similar security flaw that Microsoft patched in July 2024.

Mitja Kolsek, CEO of Acros Security, noted that while addressing CVE-2024-38030, their security researchers uncovered yet another instance of the same vulnerability, which persisted across all fully updated Windows versions, including the latest Windows 11 24H2.

The Response from Acros Security

In light of this discovery, Acros Security took immediate action. They reported the new zero-day vulnerability to Microsoft and have opted not to disclose specific technical details until an official patch is released. However, they have developed a free micropatch that addresses the issue, allowing users to protect themselves without waiting for Microsoft’s official fix.

Kolsek emphasized that the exploitation of this zero-day is similar to previous vulnerabilities reported by Akamai. He clarified that while the attack does require some user interaction—such as copying the theme file from an email or visiting a malicious website that automatically downloads the file—it remains a significant risk.

Microsoft’s Position

When approached for comment, Microsoft acknowledged awareness of the report but declined to provide specific details regarding the vulnerability or a timeline for a fix. A spokesperson stated, "We’re aware of this report and will take action as needed to help keep customers protected." This vague response has left many users concerned about the timeline for a comprehensive solution.

Protecting Yourself

To safeguard against this vulnerability, Acros Security has made micropatches available for both legacy versions of Windows Workstation and all currently supported Windows versions with the latest updates installed. Users are strongly encouraged to apply these micropatches as soon as possible to mitigate the risk of credential theft.

For those interested in understanding the exploit further, Acros Security has released a video demonstrating the vulnerability and the effectiveness of their micropatch.

Conclusion

The emergence of this Windows Themes spoofing zero-day vulnerability underscores the importance of vigilance in cybersecurity. While Acros Security has provided a timely solution through their micropatch, the onus remains on users to stay informed and proactive in protecting their systems. As the digital landscape continues to evolve, so too must our strategies for safeguarding sensitive information against emerging threats.

Related articles

Recent articles