Karlston Posted September 7, 2020 Share Posted September 7, 2020 New finding says custom Windows 10 themes can be used to steal users' credentials A new finding shared on Twitter by security researcher Jimmy Bayne points towards a loophole in Windows 10’s themes settings that can let bad actors steal users’ credentials by creating a specific theme to carry out a ‘Pass-the-Hash’ attack. The ability to install separate themes from other sources lets attackers create malicious themes files that when opened, redirect users to a page that prompts users to enter their credentials. Windows lets users share themes via the Settings UI by right-clicking on the currently active theme under Personalization > Themes and clicking on “Save theme for sharing”. This creates a ‘.deskthemepack’ file for sharing through email or other sources, which can then be downloaded and installed. Attackers can similarly create a ‘.theme’ file wherein the default wallpaper setting points to a website that requires authentication. When unsuspecting users enter their credentials, an NTLM hash of the details is sent to the site for authentication. Non-complex passwords are then cracked open using special de-hashing software. One way that the researcher provided for protecting against such files is by looking for and blocking extensions such as ‘.theme’, ‘.themepack’, and ‘.desktopthemepackfile’. Additionally, BleepingComputer lists a few alternatives via group policy that restricts sending NTLM hashed credentials to remote hosts. However, the publication cautions that doing so could interfere with enterprise setups that require this feature for authentication. Image credit: BleepingComputer Bayne adds that these findings were disclosed to the Microsoft Security Response Center (MSRC). However, the bug was supposedly not fixed because it was a “feature by design”. It is not clear if the company does plan on fixing the bug post this disclosure, or if it tweaks the file structure for the themes to prevent bad actors from leveraging it to point to sites that require authentication. Considering that most users are logged into their Microsoft accounts in Windows 10, the theft of the credentials also puts users’ linked data – such as email, OneDrive, and even Azure data – at risk. It is best for users to always enable two-factor authentication as a primary form of account security. Source: Jimmy Bayne (Twitter) via BleepingComputer New finding says custom Windows 10 themes can be used to steal users' credentials Link to comment Share on other sites More sharing options...
straycat19 Posted September 8, 2020 Share Posted September 8, 2020 I guess there are still people out there who want their PC to "look pretty" rather than tweaking it to get the maximum speed. Themes have always been a drag on the system which is why I have never used any, nor any fancy backgrounds. I coax that maximum speed I can get regardless of the hardware. So they are definitely targeting a specific class of user, ones we referred to as "Pretty Boys" in years past. Link to comment Share on other sites More sharing options...
frenchiveruti Posted September 12, 2020 Share Posted September 12, 2020 This is beyond stupid, how can you leave such a big hole in the wall for someone to use like that hahaha, not even sanitize the code of the theme? Windows Defender nags me because I download some random exe file but does nothing for what's basically a txt hahah Link to comment Share on other sites More sharing options...
steven36 Posted September 16, 2020 Share Posted September 16, 2020 Windows 10 excessive updates caused patch makers to stop making patches for real custom themes like can be done in Windows 8.1 and below . Only themes Windows 10 has is the ones approved by M$ unless you use Windows blinds and using them is not even safe according the OP because people log in too Microsoft online . something I never done when i was using windows. On 9/7/2020 at 9:55 PM, straycat19 said: Themes have always been a drag on the system x64 Browsers are a drag on people system too do you use not use them? Now days ram is cheap and most people have plenty of what good is having it if your not going to use it? A perfectionist does both they tweak there system to look the best it can ) and tune it for to run fast . (,good luck with fugly Windows 10 unless you buy stuff to fix it) BTW its just a windows problem because windows 10 is full of unneeded bloat to start off with stuff that load slow on windows run fast on Linux . Ricing Linux dont cause a performance hit and the sky is the limit and you dont need to patch to go outside of the box because it's not closed sourced garbage . Go tell these guys there pretty boys and see how many down votes you can get and they will laugh at you if you tell them that you use windows. https://www.reddit.com/r/unixporn/ Themes on Windows 10 are a built in feature controlled by M$ because patch devs gave up because windows 10 updates break there software. If your having problems it means that you need to buy better hardware or use Linux were you can get away with using slower hardware. Linux Mint have a site were were you can change themes kind of like Microsoft does called Cinnamon Spices but it also is easy to add your own from other places .Cinnamon is one of the most customizable DEs. But Mate is not like because Linux Mint dont provide them for that DE that you need to install 3rd party themes to make it look decent. but it nothing hard to do really. Most Linux Distros have lots of different DEs with different themes . Most people on Linux dont run there DE they way it looked unless it some Enterprise that use REDHAT Gnome . Not being able to make and OS to look the way you want is boring even if there Rice looks ugly its the way they wanted it. Pretty sells ugly does not that why women love Mac there nice an shinny . Giving up looks for speed or speed for looks means that there something wrong with your OS or you use dated or low end hardware. That why i use Ubuntu Budgie it looks good out the box . I set it up one time years ago the way i wanted mine to look and never had to fool with it since . Show us your Budgie Desktop - Ubuntu Budgie https://discourse.ubuntubudgie.org/t/show-us-your-budgie-desktop/73 Link to comment Share on other sites More sharing options...
Sylence Posted September 21, 2020 Share Posted September 21, 2020 Any response/comment from Microsoft? this is so far a one-sided story Link to comment Share on other sites More sharing options...
Karlston Posted September 21, 2020 Author Share Posted September 21, 2020 2 hours ago, Sylence said: Any response/comment from Microsoft? this is so far a one-sided story From https://secureteam.co.uk/news/vulnerabilities/pass-the-hash-attack-discovered-in-windows-themes/ ... Quote According to the researcher, Microsoft stated that the software is behaving as designed and has no plans to make a change to thwart this attack vector. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.