A security researcher discovered a vulnerability in Windows theme files in the previous year, which allowed malicious actors to steal Windows users’ credentials.
When a theme file specifies a network path for specific properties, like the brand image or wallpaper, Windows automatically sends authenticated network requests to remote hosts, including the user’s NTLM credentials.
This meant that a user’s security could be compromised simply by viewing a malicious theme file, and no additional user interaction would be required to accomplish this.
Microsoft released a patch three months after receiving the initial report to address the vulnerability known as CVE-2024-21320.
However, a vulnerability researcher discovered that the patch’s reliance on the PathIsUNC function could be bypassed, potentially leading to NTLM credential leaks, which was possible due to known techniques documented in 2016.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
Microsoft made an updated patch available after the company acknowledged the problem and assigned it the identifier CVE-2024-38030.
The recent discovery of a second flaw related to CVE-2024-21320 necessitated adjustments to existing patches. This led security researchers to identify an additional vulnerability in Windows theme files, affecting all versions up to Windows 11 24H2.
A more comprehensive patch was developed rather than addressing the specific issue found in CVE-2024-38030 to prevent arbitrary network requests from being triggered by viewing theme files.
Microsoft’s 2011 blog post described their “Hacking for Variations” (HfV) process, which involves proactively searching for similar vulnerabilities in a component after an initial issue is reported. This process involves code review, bug database analysis, fuzz testing, and other tools.
Even though this practice was first discovered ten years ago, it is still relevant for software vendors to adopt it if they want to identify and address potential security risks more comprehensively.
0patch recently discovered a zero-day vulnerability in Windows 11 24H2, even after applying the latest Microsoft patches for CVE-2024-21320 and CVE-2024-38030.
This vulnerability allows attackers to exploit a malicious theme file to steal user credentials.
They have informed Microsoft about this problem, but technical information will not be disclosed until the company has released a solution.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!
