New Windows Themes zero-day gets free, unofficial patches

Free unofficial patches are now available for a new Windows Themes zero-day vulnerability that allows attackers to steal a target's NTLM credentials remotely.

NTLM has been extensively exploited in NTLM relay attacks, where threat actors force vulnerable network devices to authenticate against servers under their control, and pass-the-hash attacks, where they exploit system vulnerabilities or deploy malicious software to acquire NTLM hashes (which are hashed passwords) from targeted systems.

Once they have the hash, the attackers can authenticate as the compromised user, gaining access to sensitive data and spreading laterally on the now-compromised network. One year ago, Microsoft announced that it plans to kill off the NTLM authentication protocol in Windows 11 in the future.

Bypass for incomplete security patch

ACROS Security researchers discovered the new Windows Themes zero-day (which has not yet been assigned a CVE ID) while developing a micropatch for a security issue tracked as CVE-2024-38030 that could leak a user's credentials (found and reported by Akamai's Tomer Peled), itself a bypass for another Windows Themes spoofing vulnerability (CVE-2024-21320) patched by Microsoft in January.

"An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file," as Microsoft explains in the CVE-2024-21320 advisory.

Even though Microsoft has patched CVE-2024-38030 in July, ACROS Security found another issue attackers could exploit to steal a target's NTLM credentials on all fully updated Windows versions, from Windows 7 to Windows 11 24H2.

"While analyzing the issue, our security researchers decided to look around a bit and found an additional instance of the very same problem that was still present on all fully updated Windows versions, up to currently the latest Windows 11 24H2," ACROS Security CEO Mitja Kolsek said.

"So instead of just fixing CVE-2024-38030, we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file."

Kolsek shared a video demo (embedded below), showing how copying a malicious Windows theme file on a fully patched Windows 11 24H2 system (on the left side) triggers a network connection to an attacker's machine, exposing the logged-in user's NTLM credentials.

Free and unofficial micropatches available

The company now provides free and unofficial security patches for this zero-day bug through its 0patch micropatching service for all affected Windows versions until official fixes are available from Microsoft, which have already been applied on all online Windows systems running the company's 0patch agent.

"Since this is a '0day' vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available," Kolsek said.

To install the micropatch on your Windows device, create a 0patch account and install the 0patch agent. Once the agent is launched, the micropatch will be applied automatically without requiring a system restart if there is no custom patching policy to block it.

However, it's important to note that, in this case, 0patch only provides micropatches for Windows Workstation because Windows Themes doesn't work on Windows Server until the Desktop Experience feature is installed.

"In addition, for credentials leak to occur on a server it's not enough just to view a theme file in Windows Explorer or on desktop; rather, the theme file needs to be double-clicked and the theme thus applied," Kolsek added.

While Microsoft told BleepingComputer they're "aware of this report and will take action as needed to help keep customers protected" when asked about the timeline for a patch, the Microsoft Security Response Center told Kolsek they "fully intend to patch this issue as soon as possible."

Windows users who want an alternative to 0patch's micropatches until official patches are available can also apply mitigation measures provided by Microsoft, including applying a group policy that blocks NTLM hashes as detailed in the CVE-2024-21320 advisory.