Categories: Technology

New Windows Themes zero-day gets free, unofficial patches

Free unofficial patches are now available for a new Windows Themes zero-day vulnerability that allows attackers to steal a target’s NTLM credentials remotely.

NTLM has been extensively exploited in NTLM relay attacks, where threat actors force vulnerable network devices to authenticate against servers under their control, and pass-the-hash attacks, where they exploit system vulnerabilities or deploy malicious software to acquire NTLM hashes (which are hashed passwords) from targeted systems.

Once they have the hash, the attackers can authenticate as the compromised user, gaining access to sensitive data and spreading laterally on the now-compromised network. One year ago, Microsoft announced that it plans to kill off the NTLM authentication protocol in Windows 11 in the future.

Bypass for incomplete security patch

ACROS Security researchers discovered the new Windows Themes zero-day (which has not yet been assigned a CVE ID) while developing a micropatch for a security issue tracked as CVE-2024-38030 that could leak user’s credentials (found and reported by Akamai’s Tomer Peled), itself a bypass for another Windows Themes spoofing vulnerability (CVE-2024-21320) patched by Microsoft in January.

“An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file,” as Microsoft explains in the CVE-2024-21320 advisory.

Even though Microsoft has patched CVE-2024-38030 in July, ACROS Security found another issue attackers could exploit to steal a target’s NTLM credentials on all fully updated Windows versions, from Windows 7 to Windows 11 24H2.

“While analyzing the issue, our security researchers decided to look around a bit and found an additional instance of the very same problem that was still present on all fully updated Windows versions, up to currently the latest Windows 11 24H2,” ACROS Security CEO Mitja Kolsek said.

“So instead of just fixing CVE-2024-38030, we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file.”

Kolsek shared a video demo (embedded below), showing how copying a malicious Windows theme file on a fully patched Windows 11 24H2 system…

Click Here to Read the Full Original Article at BleepingComputer…

Share
Published by
Sergiu Gatlan

Recent Posts

Vikings Trade for Standout Offensive Lineman Cam Robinson

The Minnesota Vikings are all in for the 2024 season. The team is currently 5-2…

October 29, 2024

Olivia Rodrigo ‘would love to return to acting’

29 October 2024 Olivia Rodrigo would "love" to return to her acting roots one day.…

October 29, 2024

J Balvin hails his ‘great friend’ Liam Payne

29 October 2024 J Balvin will remember Liam Payne as "a great friend". Liam Payne…

October 29, 2024