Windows Themes zero-day bug exposes users to NTLM credential theft

There's a Windows Themes spoofing zero-day bug on the loose that allows attackers to steal people's NTLM credentials.

That's the bad news. The good news: Acros Security's 0patch has developed a free micropatch that it says fixes the issue so that users don't have to wait for Microsoft's official patch.

Microsoft declined to answer The Register's specific questions about the vulnerability and timeline for a fix. "We're aware of this report and will take action as needed to help keep customers protected," a Microsoft spokesperson told us via email.

The issue has to do with leaky New Technology LAN Manager (NTLM) credentials. NTLM is a set of Microsoft security protocols used to authenticate users and computers on a network.

Back in January, Microsoft patched CVE-2024-21320, and this was intended to fix the problem. But then Akamai researcher Tomer Peled discovered that attackers could still bypass the patch by sending a malicious theme file and convincing a user to manipulate (but not necessarily open) the file. This would force Windows to send authenticated network requests to remote hosts that contained a user's NTLM credentials.

Peled's discovery and bug report resulted in CVE-2024-38030, a similar Windows Themes spoofing security hole that Microsoft fixed in July.

"When we learned about this second flaw, we had to fix our patches for CVE-2024-21320 as well," Acros Security CEO Mitja Kolsek said on Tuesday. "While analyzing the issue, our security researchers decided to look around a bit and found an additional instance of the very same problem that was still present on all fully updated Windows versions, up to currently the latest Windows 11 24H2."

The security firm reported the new zero-day to Microsoft and isn't sharing details until Redmond issues a new patch. There is, however, a video showing the exploit and the new 0patch micropatch that plugs the hole.

"Exploitation of this zero-day is identical to the previous ones previously reported by Akamai," Kolsek told The Register.

In response to our question about whether this vulnerability requires any user interaction to exploit, Kolsek said: "The user must either copy the theme file (e.g., from an email message or chat) to a folder or desktop on their computer, or visit a malicious web site that automatically downloads the file to their Downloads folder. It's not entirely without user interaction."

To protect against this threat, the firm developed micropatches for both security-adopted legacy versions of Windows Workstation, and all still-supported Windows versions with the latest available Windows updates installed. We'd suggest applying ASAP. ®

Search
About Us
Website HardCracked provides softwares, patches, cracks and keygens. If you have software or keygens to share, feel free to submit it to us here. Also you may contact us if you have software that needs to be removed from our website. Thanks for use our service!
IT News
Oct 31
Oct 31
US Army should ditch tanks for AI drones, says Eric Schmidt

And what do you know, Google's former CEO just so happens to have a commercial solution

Oct 31
Windows Themes zero-day bug exposes users to NTLM credential theft

Plus a free micropatch until Redmond fixes the flaw

Oct 30
Reddit CEO thanks AI for helping the site finally turn a profit

After 19 years of losses, all it took was a machine translation of its posts to get out of the red

Oct 30
Best practices for GenAI vector data queries

Webinar Discover techniques for improving application performance and delivering relevant AI-driven insights

Oct 30
Oct 30
No-Nvidias networking club convenes in search of open GPU interconnect

Ultra Accelerator Link consortium promises 200 gigabits per second per lane spec will debut in Q1 2025