Windows 10 themes allow attackers to steal Windows accounts

Many years ago, Google’s Project Zero cybersecurity team disclosed the security vulnerabilities that Microsoft still repaired. According to Google’s regulations, the details of the vulnerabilities will be disclosed three months after the vulnerability is submitted.

Regardless of whether the developer fixes the vulnerability within three months or not, the vulnerability will be disclosed. As a result, Microsoft failed to fix these vulnerabilities twice and caused potential threats.

But sometimes there are some vulnerabilities that Microsoft is unwilling to fix. The vulnerabilities were discovered in Microsoft’s Remote Desktop Service before, and Microsoft said it was a new feature and refused to fix it.

Now again, researchers have disclosed that Windows 10 has a low-risk security vulnerability, but Microsoft said that this is a design feature and therefore refuses to fix it.

A few days ago, a researcher disclosed that it found a security hole in the Windows 10 theme. Microsoft allows users to create and share themes for others to install.

[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user 1/4 pic.twitter.com/rgR3a9KP6Q

— bohops (@bohops) September 5, 2020

Windows 10 themes are essentially a bunch of wallpapers plus description files, but the researchers found that this feature has vulnerabilities that can be used by attackers to steal credentials.

The principle is that the attacker creates a theme file by himself but contains malicious code, and then publicly shares the theme file with others to induce the victim to install it.

When the victim installs the theme, the NTLM authentication dialog box will pop up, that is, the Windows 10 system-level input and account password dialog box will pop up.

When users see the pop-up window, they may think that the account password is required to install the theme. If the account password is really entered, the encrypted hash credential will be uploaded automatically.

Attackers can use certain decryption tools to decrypt the hashed credentials automatically encrypted by the system so that the plaintext content of the victim’s account and password can be obtained.

The researcher submitted the vulnerability information to the Microsoft Security Response Center, but Microsoft responded that this is a design feature and therefore did not fix the vulnerability.

So researchers are now disclosing information about the vulnerability, hoping to put pressure on Microsoft, but it is not clear whether Microsoft will resolve the vulnerability in the future.

It is recommended that all personal and enterprise-level users who use Microsoft accounts configure two-step verification so that even if the account password is leaked, the attacker cannot log in to the account.