The vulnerability does not require special privileges to exploit, he noted, making it accessible to a wide range of potential attackers. It allows attackers to capture NTLM authentication hashes, which could lead to further degradation if those hashes are cracked or used in a pass-the-hash attack, and can be launched by viewing a malicious theme file in Windows Explorer, which requires little user interaction, he noted. . In some cases, he added, such as automatic downloads to the downloads folder, users can unknowingly trigger a vulnerability.
The issue was found in different parts of the body’s file handling process, he said, suggesting that there may be multiple areas where similar problems can occur. “The fact that several vulnerabilities were discovered in quick succession suggests that Microsoft’s initial fix may not have been thorough enough, perhaps due to timing issues or an underestimation of the severity of the problem. Given the number of possible configurations and use cases for Windows themes, it may be difficult for Microsoft to properly test all possible scenarios.
As Acros explained on its blog, the history of compromised Windows themes goes back to last year, when Akamai researcher Tomer Peled discovered a vulnerability that could trigger a user’s submission of NTLM credentials if a theme file was viewed in Windows Explorer. “This means that just seeing a malicious theme file listed in a folder or placed on the desktop will be enough to leak user information without any additional user action,” notes Acros.
Source link