Windows 10 custom themes can be abused to potentially steal passwords it has emerged, in the latest security scare to hit Microsoft’s desktop OS.
As you’re probably aware, Windows 10 users can download a range of custom themes to personalize their desktop environment, with these themes being designed to be easy to share.
- Google really loves Microsoft’s Surface Duo phone
- Windows 10 May 2020 Update problems: how to fix them
- These are the best password managers
It’s a nice touch to be able to have convenient access to such themes to customize your operating system, but the problem here is that a security researcher, Jimmy Bayne, has discovered how themes can be used as a carrier for a so-called ‘Pass-the-Hash’ attack (as spotted by Bleeping Computer (opens in new tab)).
Bayne notes that a specially modified Windows theme can have a wallpaper key configured to point to a web resource that triggers an authorization prompt, allowing login credentials to be stolen (the login to your Microsoft account, unless you use a local login for Windows).
This is because Windows automatically attempts to log in to the remote resource and sends the username plus the NTLM hash of the password of the logged-in account (hence the Pass-the-Hash name). Of course, the attackers then have to crack the hashed password, but that might not be all that difficult, depending on the strength of the password (and as we all know, poor passwords are all too often used).
Working as designed?
Bayne fully details the problem, and potential countermeasures, in a collection of tweets as follows:
The wallpaper key is located under the "Control Panel\Desktop" section of the .theme file. Other keys may possibly be used in the same manner, and this may also work for netNTLM hash disclosure when set for remote file locations 2/4September 5, 2020
From a defensive perspective, block/re-associate/hunt for "theme", "themepack", "desktopthemepackfile" extensions. In browsers, users should be presented with a check before opening. Other CVE vulns have been disclosed in recent years, so it is worth addressing and mitigating 4/4 pic.twitter.com/xaEP1PeDN9September 5, 2020
As you can see above, Bayne explains that this possible attack vector has already been pointed out to Microsoft earlier this year, but the software giant said this is apparently working as designed, so not considered a vulnerability.
Further note that the prevention tactic discussed in the final tweet will effectively break Windows 10 themes, so you won’t be able to change from your existing one, but for now, that may be preferable to running any risks.
Jake Moore, cybersecurity specialist at ESET, commented: “These themes are clearly not created with security in mind, and given the risk of exposing passwords and other sensitive information, users must think twice before installing them.
“It is highly recommended to use two-factor authentication for as many services that offer it; with more users forced to move away from local Microsoft accounts, this comes with the added risk of remote attacks and the potential of attacking further services such as email.”
Using two-factor authentication for your Microsoft account is a good idea anyway, but this news might hurry you along to set that up, if you haven’t already.
- These are the best laptops around