Unofficial Patches Released for New Windows Themes Zero-Day Exploit

October 29, 2024

The discovery of a new zero-day vulnerability in Windows Themes has led to the release of free unofficial patches. The exploit, which allows attackers to remotely steal NTLM credentials, has been used in NTLM relay attacks and pass-the-hash attacks. These types of attacks allow threat actors to gain unauthorized access to sensitive data and spread laterally across compromised networks. Microsoft has previously announced plans to eliminate the NTLM authentication protocol in Windows 11 due to its vulnerability to such attacks.

The new zero-day was discovered by ACROS Security researchers while they were developing a micropatch for a different security issue, CVE-2024-38030. This issue could leak a user's credentials and was a bypass for another Windows Themes spoofing vulnerability, CVE-2024-21320, which Microsoft patched in January. According to Microsoft's advisory for CVE-2024-21320, an attacker would need to convince the user to load a malicious file onto a vulnerable system and manipulate the file, but not necessarily click or open it.

Despite Microsoft's patch for CVE-2024-38030 in July, ACROS Security found another issue that attackers could exploit to steal a target's NTLM credentials on all fully updated Windows versions, from Windows 7 to Windows 11 24H2. Mitja Kolsek, ACROS Security CEO, explained that they found an additional instance of the same problem on all fully updated Windows versions. As a result, they created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file.

ACROS Security now provides free and unofficial security patches for this zero-day bug through its 0patch micropatching service for all affected Windows versions until official fixes are available from Microsoft. To install the micropatch on a Windows device, users need to create a 0patch account and install the 0patch agent. The micropatch will then be applied automatically without requiring a system restart if there is no custom patching policy to block it.

In response to the zero-day vulnerability, Microsoft stated that they are aware of the report and will take action as needed to help keep customers protected. The Microsoft Security Response Center also stated that they fully intend to patch this issue as soon as possible. Until official patches are available, Windows users can also apply mitigation measures provided by Microsoft, including applying a group policy that blocks NTLM hashes as detailed in the CVE-2024-21320 advisory.

Latest News

• Google Addresses Critical Vulnerability in Chrome Browser
• Multiple Security Flaws Uncovered in Open-Source AI and ML Models
• ChatGPT Vulnerable to Hex Code Manipulation: Mozilla Report
• Fog and Akira Ransomware Operations Exploit SonicWall VPNs for Network Infiltration
• Cisco Adds Security Features to Thwart VPN Brute-Force Attacks