Windows Themes zero-day bug exposes users to NTLM credential theft

Windows Themes zero-day bug exposes users to NTLM credential theft

October 30, 2024 at 05:35PM

A zero-day vulnerability in Windows Themes allows attackers to steal NTLM credentials. Acros Security provides a free micropatch to address the issue while Microsoft awaits an official fix. Exploitation requires user interaction, such as copying a malicious theme file. Users are advised to apply the micropatch promptly for protection.

### Meeting Takeaways:

1. **Vulnerability Overview**:
– A zero-day bug associated with Windows Themes spoofing has been identified, allowing attackers to steal NTLM credentials, which are critical for user and computer authentication on networks.

2. **Immediate Solution**:
– Acros Security’s 0patch has released a free micropatch to mitigate the vulnerability, enabling users to protect themselves while waiting for a formal fix from Microsoft.

3. **Microsoft’s Response**:
– Microsoft is aware of the vulnerability but has not provided specifics on a timeline for an official patch.

4. **Technical Details**:
– The issue is related to a vulnerability in NTLM credentials, which are often exploited through malicious theme files that can be sent to users, prompting authenticated requests that inadvertently expose credentials.

5. **Previous Vulnerabilities**:
– The current bug follows the discovery of a related flaw (CVE-2024-38030), addressed in July, which involved the manipulation of theme files to bypass prior patches.

6. **Next Steps for Users**:
– Users are advised to apply the 0patch micropatches for all supported Windows versions immediately.
– Precaution should be taken to avoid copying theme files from untrusted sources or visiting potentially dangerous websites that could download such files.

7. **User Interaction Requirement**:
– Exploitation of the zero-day does require some user interaction, either through copying the malicious file or visiting a compromised site.

8. **Future Reporting**:
– Acros Security will withhold specific details about the vulnerability until Microsoft releases an official patch to prevent additional exploitation.

Full Article