A credential-stealing zero-day Windows Theme-related vulnerability has been uncovered by hackers analyzing a Microsoft security patch—here’s everything you need to know.
Try as it may, Microsoft doesn’t always manage to get security patching right the first time. Sometimes, external researchers looking at patching one vulnerability find another that emerges from the analysis. That is what has happened here, when security researchers at patch management specialists 0patch developed a third-party micropatch for one Windows security vulnerability that was bypassing another Windows vulnerability that had already been patched by Microsoft.
How Hackers Fixed A Windows Vulnerability And Found Another That Spoofed Windows Themes To Steal Credentials Are you sitting comfortably? Good, as this tale of Windows threat mitigation gets complicated pretty darn quickly. The story starts last year when an Akamai researcher called Tomer Peled undertook an analysis of Windows theme files and discovered rather worrying vulnerability.meant that an attacker could get leaked NT Lan Manager user credentials just by showing a malicious Windows Theme file to them.
It was while fixing the existing 0patch micro patches for CVE-2024-21320 that researchers found another bypass that was still working on Windows versions right up to the very latestrelease. “Instead of just fixing CVE-2024-38030,” Kolsek said, “we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file.
Although Microsoft is aware of the latest issue as uncovered by the researchers at ACROS Security, and has said it “will take action as needed to help keep customers protected,” a patch to fix the vulnerability is not yet available through the official Windows Update route. “We reported our 0day to Microsoft and will withhold details from public until they have re-fixed their patch,” Kolsek said, “Meanwhile, 0patch users are already protected against this 0day with our micropatch.
Windows 10 Windows 11 Windows Security Windows Vulnerability Windows Password Hack Microsoft Password Windows Password
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Windows 11 Password Shock—Microsoft Confirms New Security Move For MillionsDavey Winder is a technology journalist who covers cybersecurity news and research. He’s covered everything from the true story behind the hacking of Donald Trump’s nude photos to a record-breaking ransomware payment of $75 million.
Read more »
Microsoft delivers new Copilot+ AI PC features with Windows 11's 2024 updateDevindra has been writing about the way technology intersects with our lives for nearly 20 years. He started the Amherst Student's first technology column, worked in IT support for many (many) years, and eventually moved to Brooklyn to cover New York's tech scene in 2009.
Read more »
How to get Microsoft's Windows 11 2024 update (and be ready for new Copilot+ features)Steve should have known that civil engineering was not for him when he spent most of his time at university monkeying with his 8086 clone PC. Although he graduated, a lifelong obsession of wanting the Solitaire win animation to go faster had begun.
Read more »
Microsoft's new Windows 11 update comes with energy use and Wi-Fi enhancementsThe new Windows 11 update is meant to boost basic PC functions, such as downloading files over Wi-Fi, compressing documents and managing energy use.
Read more »
Microsoft Issues New Windows 11 Blue Screen Warning For All UsersDavey Winder is a technology journalist who covers cybersecurity news and research. He’s covered everything from the true story behind the hacking of Donald Trump’s nude photos to a record-breaking ransomware payment of $75 million.
Read more »
Microsoft Warns Millions Of Windows Users—Change Your Browser To Stop New AttacksZak Doffman has covered security, surveillance and privacy on Forbes since 2018, focusing on the latest updates from the world’s largest tech companies, staying safe on smartphones and social media, and the dangers of AI.
Read more »