Hackers Can Exploit Windows Themes Zero-Day Flaw to Steal User Credentials

A newly discovered zero-day vulnerability in Windows Themes allows hackers to steal NTLM authentication hashes.

Published: Oct 31, 2024

Cloud Computing and Security

SHARE ARTICLE

Key Takeaways:

  • Cybersecurity researchers have discovered a zero-day flaw in Windows Themes that allows hackers to steal NTLM authentication hashes.
  • The flaw opens up possibilities for NTLM relay attacks, where attackers intercept authentication requests.
  • Microsoft is actively investigating the newly reported vulnerability.

Cybersecurity experts have discovered a new zero-day flaw in Windows Themes that could enable attackers to steal NTLM authentication hashes. The security firm ACROS Security detailed that this vulnerability affects all supported versions of Windows, including Windows 11.

In January, Microsoft patched a similar vulnerability, CVE-2024-21320, which had a CVSS score of 6.5. However, Akamai researcher Tomer Peled discovered that attackers could still bypass this patch by sending a malicious theme file and tricking the victim into interacting with it. This report led to the discovery of another spoofing vulnerability, CVE-2024-38030, which Microsoft addressed with a patch in July.

“When we learned about this second flaw, we had to fix our patches for CVE-2024-21320 as well,” Acros Security CEO Mitja Kolsek explained. “While analyzing the issue, our security researchers decided to look around a bit and found an additional instance of the very same problem that was still present on all fully updated Windows versions, up to currently the latest Windows 11 24H2.”

NTLM relay attack method

According to ACROS Security, this new vulnerability is similar to CVE-2024-38030 and could enable hackers to launch authentication coercion attacks. In this type of cyberattack, an attacker deceives a system into sending authentication credentials to a malicious server.

A common technique involves NTLM relay attacks, where hackers intercept authentication requests and forward NTLM hashes to their own systems for access. NTLM is a suite of security protocols that provides authentication, integrity, and confidentiality for network users.

Windows Themes files let users customize wallpapers, screensavers, sounds, and colors. This newly discovered vulnerability stems from how theme files handle file paths for certain image resources, like Wallpaper or BrandImage. A hacker could exploit this flaw to prompt Windows to send an authenticated request, including the user’s NTLM hash, directly to the attacker’s device.

How to protect your organization against Windows Themes spoofing flaw?

ACROS Security reported this new zero-day vulnerability to Microsoft earlier this week, but Microsoft has not yet released a patch to address it. In a statement to The Register, Microsoft acknowledged the issue, saying, “We’re aware of this report and will take action as needed to help keep customers protected.”

Administrators are advised to disable NTLM within their organizations to reduce the risk of cyberattacks. However, this change may cause issues if any part of the network still depends on NTLM for its operations.

SHARE ARTICLE