Security researchers at ACROS Security have raised alarms regarding a persistent zero-day vulnerability in Windows, which allows malicious actors to gain unauthorized access to user credentials. Despite Microsoft’s previous attempts to rectify this issue, the flaw remains evident in the latest iteration of Windows 11, specifically version 24H2.
This vulnerability is intricately linked to the Windows New Technology LAN Manager (NTLM), a security protocol employed by Microsoft for user authentication. NTLM plays a crucial role in safeguarding login credentials following the entry of a username and password, subsequently functioning as a Single Sign-On (SSO) mechanism.
Historically, cybercriminals have exploited NTLM, compelling vulnerable network devices to authenticate with servers under their control. This exploitation has enabled the deployment of malware on systems, facilitating the extraction of hashed passwords contained within NTLM hashes.
Windows remains vulnerable
In a notable incident last year, Akamai identified that a theme file containing a network file path could trigger Windows to automatically transmit authenticated network requests to remote hosts. This included the inadvertent sharing of NTLM login credentials when the theme file was accessed in Explorer. Microsoft responded to this discovery with a patch aimed at mitigating the risk.
However, hackers demonstrated their ability to circumvent this patch, leading to further malicious activities. In response, Microsoft issued a second patch. Yet, ACROS Security’s investigation revealed that the vulnerability persists through an additional instance, affecting a wide range of operating system versions from Windows 7 to the most recent Windows 11.
Currently, Microsoft has not provided an official fix that comprehensively addresses this newly uncovered vulnerability. In light of this, ACROS Security has taken the initiative to release an unofficial patch designed to close the security gaps associated with Windows theme files.
Tip: AI in cyber attacks: a potential wildfire?
