In the realm of cybersecurity, a new zero-day vulnerability has emerged, specifically targeting Windows Themes and enabling attackers to pilfer NTLM credentials. This flaw has raised concerns among users and businesses alike, but there is a silver lining: Acros Security’s 0patch has swiftly rolled out a complimentary micropatch designed to address this issue, allowing users to safeguard their systems without waiting for an official fix from Microsoft.
The Nature of the Vulnerability
The crux of the problem lies in the leaky New Technology LAN Manager (NTLM) credentials, which are integral to Microsoft’s security protocols for authenticating users and computers within a network. Earlier this year, Microsoft attempted to rectify a related issue, CVE-2024-21320, but subsequent research revealed that attackers could still exploit the system. Akamai researcher Tomer Peled uncovered that by sending a malicious theme file, an attacker could trick a user into manipulating the file, which would inadvertently lead Windows to transmit authenticated network requests containing the user’s NTLM credentials.
This discovery led to the identification of CVE-2024-38030, another Windows Themes spoofing vulnerability that Microsoft patched in July. Mitja Kolsek, CEO of Acros Security, noted, “When we learned about this second flaw, we had to fix our patches for CVE-2024-21320 as well.” His team’s investigation revealed that this vulnerability persisted across all fully updated Windows versions, including the latest Windows 11 24H2.
Response and Mitigation
Acros Security has reported the new zero-day to Microsoft, opting to withhold specific details until an official patch is released. However, a video demonstration of the exploit, along with the new 0patch micropatch, is available for those interested in understanding the nature of the threat.
[embedded content]
Kolsek elaborated on the exploitation method, stating, “Exploitation of this zero-day is identical to the previous ones reported by Akamai.” He clarified that user interaction is necessary for the exploit to succeed. Users must either copy the theme file from an email or chat to their computer or visit a malicious website that automatically downloads the file to their Downloads folder.
To mitigate this threat, Acros Security has developed micropatches for both legacy Windows Workstation versions and all currently supported Windows versions with the latest updates. Users are strongly encouraged to apply these patches as soon as possible to enhance their security posture.
