Key Takeaways:
Cybersecurity experts have discovered a new zero-day flaw in Windows Themes that could enable attackers to steal NTLM authentication hashes. The security firm ACROS Security detailed that this vulnerability affects all supported versions of Windows, including Windows 11.
In January, Microsoft patched a similar vulnerability, CVE-2024-21320, which had a CVSS score of 6.5. However, Akamai researcher Tomer Peled discovered that attackers could still bypass this patch by sending a malicious theme file and tricking the victim into interacting with it. This report led to the discovery of another spoofing vulnerability, CVE-2024-38030, which Microsoft addressed with a patch in July.
“When we learned about this second flaw, we had to fix our patches for CVE-2024-21320 as well,” Acros Security CEO Mitja Kolsek explained. “While analyzing the issue, our security researchers decided to look around a bit and found an additional instance of the very same problem that was still present on all fully updated Windows versions, up to currently the latest Windows 11 24H2.”
According to ACROS Security, this new vulnerability is similar to CVE-2024-38030 and could enable hackers to launch authentication coercion attacks. In this type of cyberattack, an attacker deceives a system into sending authentication credentials to a malicious server.
A common technique involves NTLM relay attacks, where hackers intercept authentication requests and forward NTLM hashes to their own systems for access. NTLM is a suite of security protocols that provides authentication, integrity, and confidentiality for network users.
Windows Themes files let users customize wallpapers, screensavers, sounds, and colors. This newly discovered vulnerability stems from how theme files handle file paths for certain image resources, like Wallpaper or BrandImage. A hacker could exploit this flaw to prompt Windows to send an authenticated request, including the user’s NTLM hash, directly to the attacker’s device.
ACROS Security reported this new zero-day vulnerability to Microsoft earlier this week, but Microsoft has not yet released a patch to address it. In a statement to The Register, Microsoft acknowledged the issue, saying, “We’re aware of this report and will take action as needed to help keep customers protected.”
Administrators are advised to disable NTLM within their organizations to reduce the risk of cyberattacks. However, this change may cause issues if any part of the network still depends on NTLM for its operations.