Now Windows Themes can steal your passwords
Try as it may, Microsoft doesn’t always manage to get security patching right the first time. Sometimes, external researchers looking at patching one vulnerability find another that emerges from the analysis. That is what has happened here, when security researchers at patch management specialists 0patch developed a third-party micropatch for one Windows security vulnerability that was bypassing another Windows vulnerability that had already been patched by Microsoft. During the development of that patch for a patch, are you still with me so far, the researchers stumbled upon another Windows zero-day vulnerability.
How Hackers Fixed A Windows Vulnerability And Found Another That Spoofed Windows Themes To Steal Credentials
Are you sitting comfortably? Good, as this tale of Windows threat mitigation gets complicated pretty darn quickly. The story starts last year when an Akamai researcher called Tomer Peled undertook an analysis of Windows theme files and discovered rather worrying vulnerability. CVE-2024-21320 meant that an attacker could get leaked NT Lan Manager user credentials just by showing a malicious Windows Theme file to them. “This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user’s credentials without any additional user action,” Mitja Kolsek, CEO of ACROS Security and co-founder of 0patch, said.
0patch started to develop patches for CVE-2024-21320 to cover Windows systems no longer in receipt of security updates. This is where things start getting a bit complicated. Tomer Peled realized that the Microsoft patch for CVE-2024-21320 didn’t actually cover all credential leaking options. Specifically, multiple methods were described by another researcher, James Forshaw, in 2016 that applied to the new patch. Peled reported this to Microsoft, and another vulnerability was assigned: CVE-2024-38030.
It was while fixing the existing 0patch micro patches for CVE-2024-21320 that researchers found another bypass that was still working on Windows versions right up to the very latest Windows 11 24H2 release. “Instead of just fixing CVE-2024-38030,” Kolsek said, “we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file.”
0patch hackers found another vulnerability while working on a patch for CVE-2024-38030
Microsoft Is Working On A Fix, The Windows 0patch Micropatch Is Already Here And Free To Use
Although Microsoft is aware of the latest issue as uncovered by the researchers at ACROS Security, and has said it “will take action as needed to help keep customers protected,” a patch to fix the vulnerability is not yet available through the official Windows Update route. “We reported our 0day to Microsoft and will withhold details from public until they have re-fixed their patch,” Kolsek said, “Meanwhile, 0patch users are already protected against this 0day with our micropatch.” You can set up a free account and get the patch installed from the 0patch home page.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25717638/IMG_0478.PNG?w=238&resize=238,178&ssl=1 "If the Electoral College has invaded your phone screen, here’s how to get rid of it")
