Security researchers at Acros Security have stepped in to address an unresolved vulnerability in Windows theme files that can cause NTLM credentials to leak when viewing certain theme files in Windows Explorer. Although Microsoft recently released a patch (CVE-2024-38030) to fix a similar issue, the researchers found that this update did not fully address the risk. The vulnerability impacts a range of Windows systems, including the latest Windows 11 version (24H2), leaving many users potentially exposed.
How Microsoft’s Theme File Patch Fell Short
The origin of this flaw dates back to an earlier vulnerability, CVE-2024-21320, initially reported by Akamai researcher Tomer Peled. Peled discovered that some Windows theme files, which can specify paths for images and wallpapers, could be configured to make network-based requests. When these files are viewed, Windows might send out NTLM (New Technology LAN Manager) credentials—an authentication protocol that verifies user identity but risks exposing sensitive data if improperly accessed. Peled’s findings revealed that by merely opening a folder containing a malicious theme file, NTLM credentials could be sent to an external server.
To fix this, Microsoft issued a patch that used a function called PathIsUNC to check for and block network paths. However, as security researcher James Forshaw demonstrated already in 2016, this function could be bypassed with certain inputs, a flaw Peled quickly recognized. Microsoft then updated its patch, assigning the issue a new identifier, CVE-2024-38030, but their revised solution still did not close all avenues for exploitation.
0Patch Creates Broader Protection
Upon reviewing Microsoft’s patch, the Acros researchers discovered that it left some network paths in theme files unprotected, affecting even fully updated systems. To address this, they developed a more comprehensive micropatch, available through their 0Patch solution. Micropatching is a process that targets small, specific vulnerabilities independently of vendor updates, allowing quicker fixes for users. The patch from 0Patch prevents network paths from initiating credential leaks across all versions of Windows Workstation, blocking paths that Microsoft’s update did not cover.
Microsoft’s 2011 security guidelines describe a “Hacking for Variations” (HfV) approach, intended to detect multiple variants of any newly reported vulnerability. However, Acros’ discovery suggests this review process may have been insufficient here. The micropatch provides protection, filling the gaps left by Microsoft’s latest patch.
Free Fix Available for Legacy and Supported Systems
Recognizing the urgency of protecting users from unauthorized network requests, 0Patch has made the patch free for all affected systems. This fix spans various legacy and supported versions, from Windows 10 (v1803) to the current Windows 11. Supported systems include:
- Legacy Editions: Windows 7 and Windows 10 versions from v1803 up to v1909, each fully updated.
- Current Windows Versions: All versions from Windows 10 v22H2 to Windows 11 v24H2 with complete updates.
The patch only covers Workstation systems due to the Desktop Experience requirement in servers, which isn’t typically active. NTLM credential leaks are less likely on servers, where theme files need to be manually opened, increasing the risk of credential exposure only under specific conditions. For Workstation setups, however, the vulnerability poses a more straightforward risk, as users could unwittingly view malicious theme files, leading to potential credential leaks.
0Patch Rolls Out Automatic Update for PRO and Enterprise Users
0Patch applied the micropatch across all systems enrolled in PRO and Enterprise plans with 0patch Agent installed, ensuring instant protection for active users. In a demo, 0Patch illustrated how fully updated Windows 11 systems initially attempted to connect to an unauthorized network when a malicious theme file was placed on the desktop. After 0Patch’s micropatch was enabled, this connection attempt was blocked, keeping credentials secure.
Last Updated on November 7, 2024 2:17 pm CET
