The vulnerability doesn’t require any particular privileges to use, he famous, making it accessible to a variety of potential attackers. It permits attackers to seize NTLM authentication hashes, doubtlessly resulting in additional compromises if these hashes are cracked or utilized in pass-the-hash assaults, and it may be triggered just by viewing a malicious theme file in Home windows Explorer, requiring minimal person interplay, he famous. In some situations, he added, corresponding to computerized downloads to the Downloads folder, customers might unknowingly set off the vulnerability.
The difficulty was discovered in numerous elements of the theme file dealing with course of, he mentioned, suggesting that there could also be a number of areas the place related issues might happen. “The truth that a number of vulnerabilities have been present in fast succession means that Microsoft’s preliminary fixes could not have been complete sufficient, presumably because of time constraints or an underestimation of the complexity of the issue. Given the variety of doable configurations and use circumstances for Home windows themes, it could be troublesome for Microsoft to check all doable situations totally.”
As Acros outlined in its weblog, the historical past of spoofed Home windows Themes goes again to final 12 months, when Akamai researcher Tomer Peled discovered a vulnerability that may set off the sending of a person’s NTLM credentials if a Theme file was seen in Home windows Explorer. “This meant that merely seeing a malicious theme file listed in a folder or positioned on the desktop can be sufficient for leaking person’s credentials with none further person motion,” Acros notes.
