The vulnerability doesn’t require any particular privileges to use, he famous, making it accessible to a variety of potential attackers. It permits attackers to seize NTLM authentication hashes, probably resulting in additional compromises if these hashes are cracked or utilized in pass-the-hash assaults, and it may be triggered just by viewing a malicious theme file in Home windows Explorer, requiring minimal consumer interplay, he famous. In some eventualities, he added, akin to automated downloads to the Downloads folder, customers may unknowingly set off the vulnerability.
The difficulty was discovered in numerous elements of the theme file dealing with course of, he stated, suggesting that there could also be a number of areas the place related issues may happen. “The truth that a number of vulnerabilities have been present in fast succession means that Microsoft’s preliminary fixes could not have been complete sufficient, probably on account of time constraints or an underestimation of the complexity of the issue. Given the variety of attainable configurations and use circumstances for Home windows themes, it might be tough for Microsoft to check all attainable eventualities totally.”
As Acros outlined in its weblog, the historical past of spoofed Home windows Themes goes again to final yr, when Akamai researcher Tomer Peled discovered a vulnerability that will set off the sending of a consumer’s NTLM credentials if a Theme file was seen in Home windows Explorer. “This meant that merely seeing a malicious theme file listed in a folder or positioned on the desktop can be sufficient for leaking consumer’s credentials with none extra consumer motion,” Acros notes.
