Security researchers at Acros have identified a new zero-day vulnerability related to Windows theme files, which poses a significant risk to user credentials. This flaw, discovered while addressing the previously reported CVE-2024-38030, allows attackers to potentially obtain NTLM credentials from compromised systems.
The vulnerability affects multiple Windows platforms, including the latest Windows 11 (version 24H2), raising concerns for a wide array of users. Despite Microsoft’s efforts to patch the initial spoofing issue, the researchers found that the threat was not entirely eliminated.
Windows Theme Zero-Day Vulnerability
Tomer Peled, a security researcher at Akamai, began investigating Windows theme files last year. His research revealed that when a theme file specified a network file path for certain properties—specifically BrandImage and Wallpaper—Windows would automatically send authenticated network requests to remote hosts. This behavior could lead to unintentional credential leaks if a malicious theme file was placed on a user’s desktop or within a folder.
Following the initial report of the vulnerability (CVE-2024-21320), Microsoft issued a patch three months later. However, researchers noted that the fix was insufficient for systems that had stopped receiving updates after the vulnerability was disclosed. Peled analyzed the patch and found that it employed the PathIsUNC function to identify network paths in theme files, aiming to prevent credential leaks. Unfortunately, this approach was vulnerable to methods outlined by James Forshaw in 2016, which could bypass the protections intended by the patch.
Upon discovering this potential bypass, Peled alerted Microsoft, leading to the identification of the new issue, now classified as CVE-2024-38030. Researchers noted, “While analyzing the issue, our security researchers decided to look around a bit and found an additional instance of the very same problem that was still present on all fully updated Windows versions, up to currently the latest Windows 11 24H2.”
In response, researchers developed a more comprehensive patch aimed at addressing all execution paths that could result in Windows submitting network requests based on theme file content. Users of the micropatch service, 0patch, are already protected against this zero-day vulnerability. Until an official vendor fix is available, 0patch is offering these micropatches free of charge.
The micropatches have been created for all currently supported Windows versions with the latest updates installed, as well as for legacy versions of Windows Workstation:
- Windows 11 v21H2 – fully updated
- Windows 10 v21H2 – fully updated
- Windows 10 v21H1 – fully updated
- Windows 10 v20H2 – fully updated
- Windows 10 v2004 – fully updated
- Windows 10 v1909 – fully updated
- Windows 10 v1809 – fully updated
- Windows 10 v1803 – fully updated
- Windows 7 – fully updated with no ESU, ESU 1, ESU 2 or ESU 3
For Windows versions still receiving updates, the following are included:
- Windows 10 v22H2 – fully updated
- Windows 11 v22H2 – fully updated
- Windows 11 v23H2 – fully updated
- Windows 11 v24H2 – fully updated
It is important to note that the patches were specifically created for Windows Workstation and not for Windows Server. Researchers clarify that for Windows Themes to function on a server, the Desktop Experience feature must be installed, which is not the default setting. Furthermore, for credentials to leak on a server, the theme file must be double-clicked to apply it, rather than merely viewed in Windows Explorer or on the desktop.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!
