A zero-day in Windows allows a malicious person to gain credentials. Although Microsoft previously tried to fix this problem, the vulnerability still appears to be present in the latest version Windows 11 24H2.
That’s what security researchers at ACROS Security are warning about. The zero-day is related to the Windows New Technology LAN Manager (NTLM). Microsoft uses this security protocol for user authentication, which protects login credentials after entering a username and password. NTLM then acts as a Single Sign-On (SSO) tool.
Cybercriminals have exploited NTLM in the past. They forced vulnerable network devices to authenticate to servers they controlled, and they placed malware on systems to obtain hashed passwords in NTLM hashes.
Windows remains vulnerable
Last year, Akamai discovered that a theme file with a network file path could cause Windows to automatically send authenticated network requests to remote hosts, including NTLM login credentials when the theme file was viewed in Explorer. Microsoft then addressed this problem with a patch.
However, hackers proved able to bypass the patch and perform further malicious activity, forcing Microsoft to issue a second patch. ACROS Security then investigated it and discovered that the vulnerability was still present via an additional instance. This problem affects multiple operating system versions, from Windows 7 to the latest version of Windows 11.
Microsoft has no official fix that fully addresses the newly discovered vulnerability. Therefore, ACROS Security has released an unofficial patch to close the security holes in the Windows theme files.