“The real problem is that this keeps coming back with all kinds of file types,” said Ullrich. “Last year it was with Outlook; when you opened an email, it was possible to trigger these downloads from malicious servers. It’s a recurring problem. Microsoft is playing whack-a-mole in eliminating all the different spots this could be happening.”
Compounding the problem is the fact that the user password that goes out is sent in an easily cracked NTLM hash, which Ullrich calls an “ancient algorithm.” However, he added, Microsoft disabled the NTLM capability in recent versions of Windows, so only older versions of the OS should be at risk.
As Acros outlined in its blog, the history of spoofed Windows Themes goes back to last year, when Akamai researcher Tomer Peled found a vulnerability that would trigger the sending of a user’s NTLM credentials if a Theme file was viewed in Windows Explorer. “This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user’s credentials without any additional user action,” Acros notes.