October 29, 2024 at 04:30PM
Free unofficial micropatches are now available for a Windows Themes zero-day vulnerability that allows NTLM credential theft. Discovered by ACROS Security, this issue affects all updated Windows versions. Users can apply these patches through 0patch while awaiting official fixes from Microsoft, which plans to address the problem promptly.
### Meeting Takeaways:
1. **New Vulnerability Identified**: A zero-day vulnerability in Windows Themes has been discovered, allowing attackers to remotely steal NTLM credentials. This issue has not yet received a CVE ID.
2. **NTLM Exploits**: The NTLM protocol has been heavily targeted through NTLM relay and pass-the-hash attacks. Attackers exploit these vulnerabilities to gain unauthorized access to sensitive data.
3. **Microsoft’s Plans for NTLM**: Microsoft announced intentions to phase out the NTLM authentication protocol in Windows 11 in the future.
4. **Micropatching Development**: ACROS Security identified the vulnerability while working on a micropatch for CVE-2024-38030, which was already patched by Microsoft. They created a more general patch covering various execution paths within Windows themes files.
5. **Availability of Micropatches**: Free and unofficial micropatches for the identified zero-day vulnerability are now available via the 0patch micropatching service for all affected Windows versions (from Windows 7 up to Windows 11 24H2).
6. **Installation Process**: Users can apply the micropatch by creating a 0patch account and installing the 0patch agent, which will automatically implement the patches upon launch without requiring a system restart.
7. **Limitations for Windows Server**: The micropatch is available only for Windows Workstation, as Windows Themes functionality is not operational on Windows Server without the Desktop Experience feature.
8. **Mitigation Measures**: In addition to 0patch’s solution, users can apply Microsoft’s recommended mitigation measures to block NTLM hashes as detailed in the CVE-2024-21320 advisory.
9. **Response from Microsoft**: Microsoft is aware of the vulnerability and is committed to providing a formal patch as soon as possible. They are communicating with stakeholders regarding timelines for this fix.
These points encapsulate the key information discussed regarding the vulnerability, potential risks, and available mitigations, ensuring all attendees understand the importance and urgency of addressing the issue.