New Home windows Theme Zero-Day Vulnerability Let Attackers Steal Credentials
New similar Home windows Theme Zero-Day Vulnerability Let Attackers Steal Credentials vulnerability which may enable attackers to acquire NTLM credentials of compromised methods whereas fixing CVE-2024-38030, a medium-severity Home windows Themes spoofing situation.
Acros Safety researchers reported that regardless that Microsoft lately issued a patch (CVE-2024-38030) to handle the related downside, the danger was not solely mitigated.
The flaw impacts a number of Home windows platforms, together with the latest model of Home windows 11 (24H2), probably exposing numerous customers.
Home windows Theme Zero-Day Vulnerability
Tomer Peled, a safety researcher at Akamai, determined to analyze Home windows theme recordsdata final 12 months.
They discovered that when a theme file specified a community file path for a few of the theme properties (specifically BrandImage and Wallpaper), Home windows would robotically ship authenticated community requests to distant hosts, together with the customers.
Final Information to Handle your SIEM Pricing -> Free Download
This meant {that a} malicious theme file positioned on the desktop or listed in a folder can be ample to leak consumer credentials with none additional consumer exercise.
Microsoft addressed this situation three months after receiving the declare (CVE-2024-21320). Researchers then developed patches for Home windows computer systems that have been not receiving Home windows updates after the vulnerability info was disclosed.
Tomer then examined Microsoft’s patch and found that it used the PathIsUNC operate to find out whether or not a specific path in a theme file is a community route and, if that’s the case, disregarded it.
This could have stopped the leak of NTLM credentials if it weren’t for James Forshaw, who in 2016 detailed a number of strategies of bypassing PathIsUNC.
Tomer found that the strategies James had talked about may be used to bypass Microsoft’s CVE-2024-21320 patch. He reported Microsoft for this so they may try once more. Microsoft fastened the patch and attributed the brand new situation to CVE-2024-38030.
“Whereas analyzing the difficulty, our safety researchers determined to go searching a bit and located an extra occasion of the exact same downside that was nonetheless current on all absolutely up to date Home windows variations, as much as at the moment the most recent Home windows 11 24H2”, researchers stated.
Due to this fact, researchers created a extra complete patch for Home windows theme recordsdata that may tackle all execution paths that lead to Home windows submitting a community request to a distant host indicated in a theme file simply by inspecting the file.
With their micropatch service, 0patch customers are already protected towards this 0day. Since there may be at the moment no official vendor repair for this “0day” vulnerability, 0patch is providing the micropatches totally free till such a repair turns into accessible.
Micropatches have been created for all at the moment supported Home windows variations with all accessible Home windows Updates put in, in addition to for the security-adopted legacy variations of Home windows Workstation:
Legacy Home windows variations:
- Home windows 11 v21H2 – absolutely up to date
- Home windows 10 v21H2 – absolutely up to date
- Home windows 10 v21H1 – absolutely up to date
- Home windows 10 v20H2 – absolutely up to date
- Home windows 10 v2004 – absolutely up to date
- Home windows 10 v1909 – absolutely up to date
- Home windows 10 v1809 – absolutely up to date
- Home windows 10 v1803 – absolutely up to date
- Home windows 7 – absolutely up to date with no ESU, ESU 1, ESU 2 or ESU 3
Home windows variations nonetheless receiving Home windows Updates:
- Home windows 10 v22H2 – absolutely up to date
- Home windows 11 v22H2 – absolutely up to date
- Home windows 11 v23H2 – absolutely up to date
- Home windows 11 v24H2 – absolutely up to date
“Word that patches have been solely created for Home windows Workstation however not for Home windows Server.
Researchers explain that “for Home windows Themes to work on a server, the Desktop Expertise characteristic must be put in (it’s not by default).”
“As well as, for credentials to leak on a server, it’s not sufficient simply to view a theme file in Home windows Explorer or on desktop; reasonably, the theme file must be double-clicked, and the theme is thus utilized.”
Run personal, Actual-time Malware Evaluation in each Home windows & Linux VMs. Get a 14-day free trial with ANY.RUN!