Windows Themes zero-day bug exposes users to NTLM credential theft

There's a Windows Themes spoofing zero-day bug on the loose that allows attackers to steal people's NTLM credentials.

That's the bad news. The good news: Acros Security's 0patch has developed a free micropatch that it says fixes the issue so that users don't have to wait for Microsoft's official patch.

Microsoft declined to answer The Register's specific questions about the vulnerability and timeline for a fix. "We're aware of this report and will take action as needed to help keep customers protected," a Microsoft spokesperson told us via email.

The issue has to do with leaky New Technology LAN Manager (NTLM) credentials. NTLM is a set of Microsoft security protocols used to authenticate users and computers on a network. 

Back in January, Microsoft patched CVE-2024-21320, and this was intended to fix the problem. But then Akamai researcher Tomer Peled discovered that attackers could still bypass the patch by sending a malicious theme file and convincing a user to manipulate (but not necessarily open) the file. This would force Windows to send authenticated network requests to remote hosts that contained a user's NTLM credentials.

• Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch
• Emergency patch: Cisco fixes bug under exploit in brute-force attacks
• VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time
• macOS HM Surf vuln might already be under exploit by major malware family

Peled's discovery and bug report resulted in CVE-2024-38030, a similar Windows Themes spoofing security hole that Microsoft fixed in July.

"When we learned about this second flaw, we had to fix our patches for CVE-2024-21320 as well," Acros Security CEO Mitja Kolsek said on Tuesday. "While analyzing the issue, our security researchers decided to look around a bit and found an additional instance of the very same problem that was still present on all fully updated Windows versions, up to currently the latest Windows 11 24H2."

The security firm reported the new zero-day to Microsoft and isn't sharing details until Redmond issues a new patch. There is, however, a video showing the exploit and the new 0patch micropatch that plugs the hole. 

"Exploitation of this zero-day is identical to the previous ones previously reported by Akamai," Kolsek told The Register. 

In response to our question about whether this vulnerability requires any user interaction to exploit, Kolsek said: "The user must either copy the theme file (e.g., from an email message or chat) to a folder or desktop on their computer, or visit a malicious web site that automatically downloads the file to their Downloads folder. It's not entirely without user interaction."

To protect against this threat, the firm developed micropatches for both security-adopted legacy versions of Windows Workstation, and all still-supported Windows versions with the latest available Windows updates installed. We'd suggest applying ASAP. ®