The developers of the 0patch platform (owned by the Slovenian Acros Security) have released a free micropatch that fixes the problem with leaking NTLM credentials in Windows. Microsoft promised to get involved in solving the problem later.
Image Source: Windows/unsplash.com
The issue is related to the leak of New Technology LAN Manager (NTLM) credentials, a set of Microsoft-developed security protocols that are used to authenticate users and computers on a network. Back in January, Microsoft patched the NTLM-related vulnerability CVE-2024-21320, but then Akamai cybersecurity expert Tomer Peled discovered that attackers could bypass the patch by sending a potential victim a Windows theme file and forcing them to do some manipulations with it – You don’t even need to open the file. After these manipulations, Windows sends authenticated network requests to remote hosts with NTLN credentials belonging to the user.
As a result, the Windows theme spoofing vulnerability CVE-2024-38030 was registered and was fixed in July. Acros Security specialists analyzed the problem and identified an additional instance of the vulnerability, which is present in all fully updated versions of Windows up to Windows 11 24H2. The company reported its discovery to Microsoft and refused to release details until the software giant fixed the new vulnerability, but released its own micropatch that closes it. “We are aware of this report and will take appropriate action to help protect customers,” Microsoft said.
To exploit the vulnerability, “a user must either copy a theme file, for example, from an email or chat to a folder or desktop, or visit a malicious site from which the file is automatically downloaded to the Downloads folder,” Acros Security explained. That is, some actions on the part of the potential victim are still necessary.