Take action now to plug Windows Themes vulnerability, says expert

The vulnerability doesn’t require any special privileges to exploit, he noted, making it accessible to a wide range of potential attackers. It allows attackers to capture NTLM authentication hashes, potentially leading to further compromises if those hashes are cracked or used in pass-the-hash attacks, and it can be triggered simply by viewing a malicious theme file in Windows Explorer, requiring minimal user interaction, he noted. In some scenarios, he added, such as automatic downloads to the Downloads folder, users could unknowingly trigger the vulnerability.

The issue was found in different parts of the theme file handling process, he said, suggesting that there may be multiple areas where similar problems could occur. “The fact that several vulnerabilities were found in quick succession suggests that Microsoft’s initial fixes may not have been comprehensive enough, possibly due to time constraints or an underestimation of the complexity of the problem. Given the number of possible configurations and use cases for Windows themes, it may be difficult for Microsoft to test all possible scenarios thoroughly.” 

As Acros outlined in its blog, the history of spoofed Windows Themes goes back to last year, when Akamai researcher Tomer Peled found a vulnerability that would trigger the sending of a user’s NTLM credentials if a Theme file was viewed in Windows Explorer. “This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user’s credentials without any additional user action,” Acros notes.

Leave a Comment