Are you a fan of customizing your Windows experience via themes? If so, you’re not alone. While it’s true that themes aren’t used by a majority of Windows users, they’re still highly popular.
If you’re creating your own themes, you don’t have anything to worry about. The danger lies in downloading theme packs from others, especially if you get them from a source you don’t know and trust implicitly.
Clever hackers can now create “poisoned” themes that can be used to steal Windows credentials. Security researcher Jimmy Bayne discovered the new flaw when he stumbled across a poisoned theme capable of tricking unsuspecting users into accessing a remote SMB share that requires authentication.
When the user attempts to access the remote resource that requires a login, Windows responds by automatically trying to log in, using your Windows user name and their hashed password. Naturally, the hacker sets up the attack so that they control the remote resource and thus, is able to harvest the credentials and dehash the password at their leisure.
Microsoft has spent the last few years migrating away from local Windows 10 accounts and is leaning more heavily on the Cloud. This makes the theme-based attack much more likely to succeed.
Even worse, Microsoft has expressed no interest in fixing this particular flaw, because according to a spokesman for the company, it’s working exactly as it is supposed to. That puts regular theme users in something of a bind.
Your first best defense against this type of attack is to make any themes you want to use yourself, or if you download a theme pack, be sure you’re getting it from a trusted source.
Barring that, your only other viable option is to block or re-associate the .theme, .themepack, or .desktopthemepackfile extensions to a different program. This approach, however, will break the theme functionality, so it can only be used by those who don’t need to frequently switch from one theme to another.
It’s not a common attack, but it’s definitely something to be on guard against.