In the intricate world of cybersecurity, the journey of patching vulnerabilities can often lead to unexpected discoveries. Such is the case with Microsoft, which has faced challenges in ensuring that its security patches address all potential threats. Recently, researchers from 0patch, a company specializing in patch management, uncovered a new zero-day vulnerability while developing a micropatch for an existing Windows security flaw.
How Hackers Fixed A Windows Vulnerability And Found Another That Spoofed Windows Themes To Steal Credentials
The saga begins with Tomer Peled, a researcher at Akamai, who last year identified a significant vulnerability in Windows theme files, designated CVE-2024-21320. This flaw allowed attackers to extract NT Lan Manager user credentials simply by displaying a malicious Windows theme file to a user. As Mitja Kolsek, CEO of ACROS Security and co-founder of 0patch, explained, “This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user’s credentials without any additional user action.”
In response, 0patch initiated the development of patches for CVE-2024-21320, particularly aimed at Windows systems that no longer receive official security updates. However, as Peled delved deeper into the issue, he discovered that Microsoft’s patch for CVE-2024-21320 did not fully address all potential credential leakage scenarios. This oversight led to the assignment of a new vulnerability identifier: CVE-2024-38030, based on findings from another researcher, James Forshaw, who had outlined multiple methods relevant to the new patch back in 2016.
While refining their micropatches for CVE-2024-21320, the 0patch team stumbled upon yet another bypass that persisted across various Windows versions, including the latest Windows 11 24H2 release. Kolsek noted, “Instead of just fixing CVE-2024-38030, we created a more general patch for Windows theme files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file.”
Microsoft Is Working On A Fix, The Windows 0patch Micropatch Is Already Here And Free To Use
As the situation unfolds, Microsoft has acknowledged the new vulnerability identified by ACROS Security and has committed to taking necessary actions to safeguard its customers. However, an official patch via the Windows Update system has yet to be released. Kolsek stated, “We reported our 0day to Microsoft and will withhold details from the public until they have re-fixed their patch. Meanwhile, 0patch users are already protected against this 0day with our micropatch.” Users can easily set up a free account and install the patch directly from the 0patch homepage, ensuring their systems remain secure in the interim.
