Windows

Free unofficial patches are now available for a new Windows Themes zero-day vulnerability that allows attackers to steal a target's NTLM credentials remotely.

NTLM has been extensively exploited in NTLM relay attacks, where threat actors force vulnerable network devices to authenticate against servers under their control, and pass-the-hash attacks, where they exploit system vulnerabilities or deploy malicious software to acquire NTLM hashes (which are hashed passwords) from targeted systems.

Once they have the hash, the attackers can authenticate as the compromised user, gaining access to sensitive data and spreading laterally on the now-compromised network. One year ago, Microsoft announced that it plans to kill off the NTLM authentication protocol in Windows 11 in the future.

Bypass for incomplete security patch

ACROS Security researchers discovered the new Windows Themes zero-day (which has not yet been assigned a CVE ID) while developing a micropatch for a security issue tracked as CVE-2024-38030 that could leak a user's credentials (reported by Akamai's Tomer Peled), itself a bypass for another Windows Themes spoofing vulnerability (CVE-2024-21320) patched by Microsoft in January.

Peled found that "when a theme file specified a network file path for some of the theme properties (specifically BrandImage and Wallpaper), Windows would automatically send authenticated network requests to remote hosts, including user's NTLM credentials when such theme file would be viewed in Windows Explorer."

"This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user's credentials without any additional user action," ACROS Security CEO Mitja Kolsek said.

Even though Microsoft has patched CVE-2024-38030 in July, ACROS Security found another issue attackers could exploit to steal a target's NTLM credentials on all fully updated Windows versions, from Windows 7 to Windows 11 24H2.

"So instead of just fixing CVE-2024-38030, we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file," Kolsek added.

Kolsek also shared a video demo (embedded below), showing how copying a malicious Windows theme file on a fully patched Windows 11 24H2 system (on the left side) triggers a network connection to an attacker's machine, exposing the logged-in user's NTLM credentials.

Free and unofficial micropatches available

The company now provides free and unofficial security patches for this zero-day bug through its 0patch micropatching service for all affected Windows versions until official fixes are available from Microsoft, which have already been applied on all online Windows systems running the company's 0patch agent.

"Since this is a '0day' vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available," Kolsek said.

To install the micropatch on your Windows device, create a 0patch account and install the 0patch agent. Once the agent is launched, the micropatch will be applied automatically without requiring a system restart if there is no custom patching policy to block it.

However, it's important to note that, in this case, 0patch only provides micropatches for Windows Workstation because Windows Themes doesn't work on Windows Server until the Desktop Experience feature is installed.

"In addition, for credentials leak to occur on a server it's not enough just to view a theme file in Windows Explorer or on desktop; rather, the theme file needs to be double-clicked and the theme thus applied," Kolsek added.

While Microsoft told BleepingComputer they're "aware of this report and will take action as needed to help keep customers protected" when asked about the timeline for a patch, the Microsoft Security Response Center told Kolsek they "fully intend to patch this issue as soon as possible."

Windows users who want an alternative to 0patch's micropatches until official patches are available can also apply mitigation measures provided by Microsoft, including applying a group policy that blocks NTLM hashes as detailed in the CVE-2024-21320 advisory.

Related Articles:

Microsoft patches Windows zero-day exploited in attacks on Ukraine

Microsoft just killed the Windows 10 Beta Channel again

Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws

Windows 11 KB5046617 and KB5046633 cumulative updates released

Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws