Windows Theme Bug Exposes Credentials; Patch Still Pending

Microsoft has recently come under scrutiny once more as a new security vulnerability within Windows themes was exposed. This vulnerability, discovered by researchers at Akamai and patch management specialists 0patch, reveals that Windows systems could leak user credentials through a malicious Windows theme file. Although Microsoft had previously issued a security patch to address a similar flaw, researchers discovered that this patch was inadequate, leaving certain methods of credential leakage unprotected. As a result, a new vulnerability, identified as CVE-2024-38030, has surfaced, enabling attackers to leverage Windows theme files to gather user credentials in Windows systems, including the latest Windows 11 release.

The complexity of this issue highlights the layered challenges of maintaining security in widely used software platforms. The journey began with an investigation into Windows theme files by Tomer Peled, a security researcher at Akamai, who identified the potential for credential leakage through theme files. Windows theme files, which primarily serve to customize the look and feel of a user’s operating system, can be manipulated to send NT Lan Manager (NTLM) credential requests to a remote server. If the user simply sees the malicious theme file, even just in a folder or on their desktop, the attacker can trigger credential leakage without further user action. This vulnerability was designated as CVE-2024-21320 and allowed hackers to spoof theme files to collect user credentials by deceptively inserting network requests.

In response, 0patch, known for creating micropatches for vulnerabilities in software that no longer receives updates, began working on a micropatch to address CVE-2024-21320. However, the issue quickly became more complicated. As Peled and other researchers delved deeper, they identified that the existing Microsoft patch for CVE-2024-21320 was incomplete, failing to address all potential routes for credential leakage. Some of these methods had been documented years prior by researcher James Forshaw, who described ways attackers could exploit the vulnerability, bypassing patches meant to block credential transmission to remote servers. Recognizing these flaws, Peled reported the issue back to Microsoft, prompting the assignment of a new vulnerability ID, CVE-2024-38030.

During the development of additional micropatches for CVE-2024-21320, the 0patch team stumbled upon another vulnerability that posed similar risks. They found that on Windows versions up to the latest Windows 11 24H2, users were still vulnerable. Mitja Kolsek, CEO of ACROS Security and co-founder of 0patch, noted that the team decided to tackle the issue more broadly. Rather than simply patching the specific CVE-2024-38030 flaw, they developed a general micropatch targeting all execution paths that might lead Windows to send network requests based on theme files. This broad-spectrum approach effectively covers all possible routes attackers might use to initiate credential leakage through malicious Windows theme files.

The complexity and persistence of these vulnerabilities underscore the difficulties Microsoft faces in securing its vast software ecosystem, as vulnerabilities often remain undetected until extensive investigations like this reveal them. While Microsoft acknowledged the issue and has stated they will act as necessary to protect users, a formal patch through the Windows Update channel has not yet been released. The company has noted that they are examining the details to readdress this vulnerability, as per Kolsek’s statement, and Microsoft will deploy a new update once a comprehensive solution is developed.

In the interim, 0patch offers a temporary solution through its own micropatch, which can be accessed for free. 0patch’s approach allows users to protect their systems without waiting for the official patch from Microsoft. Users who wish to safeguard their systems against this zero-day vulnerability can install 0patch’s solution by creating a free account on the 0patch platform, a move that many may find valuable given the delayed release of Microsoft’s official update.

The discovery and disclosure of such vulnerabilities highlight the importance of collaborative efforts between external researchers, patch management experts, and software developers like Microsoft. As the threat landscape evolves and becomes increasingly complex, organizations must ensure that even minor elements of software, such as Windows theme files, are scrutinized and fortified against potential exploitation.