Windows 10’s theme settings are flawed and malicious actors can steal users’ credentials by creating specific topics to carry out “Pass-the-Hash” attacks, Bleeping Computer reported on Twitter, citing security researcher Jimmy Bayne. Specifically, theme features that are separate from other sources can be installed, allowing an attacker to create a malicious theme file that redirects the user to a page that requires their credentials when it is opened.
It is reported that just right-click on the desktop, you can be directed to the “personalized – – theme” settings page. Users can then click “Save topics to share” to create a file called “.deskthemepack”.
Custom themes created in this way can be shared, downloaded, and installed through channels such as e-mail. An attacker could also create a similar “.theme” theme file, but the default wallpaper settings could point to a Website that requires authentication.
When careless users accidentally enter their credentials, the NTLM hash value containing the details is sent to the site for authentication, which allows an attacker to brute force a non-complex password with special inverse computing software.
Users need to be alert to files such as .themepack and .desktopthemepackfile.
In response, Bleeping Computer came up with some restrictions through Group Policy to prevent NTLM hash credentials from being sent to remote hosts. It’s just that for enterprise users, doing so can interfere with normal authentication.
Bayne added that it had disclosed the findings to the Microsoft Security Response Center (MSRC). Unfortunately, because this is a “design feature,” the bug has not been fixed.
It is not known whether the software giant will formally fix or adjust the structure of the subject file in the future to prevent bad use.