Don’t Leave Your Windows Open (to Attack)

 No matter what operating system you use, there will be vulnerabilities lurking in the nooks and crannies we may never consider. If you’re using Windows 10, here are two you should know about.

The first bug affects all Windows 10 editions except for Home, as it leverages Hyper-V, a feature that provides hardware virtualization. In order to create and modify files in certain areas of Windows a user needs elevated privileges. This is to protect sensitive areas of the operating system. Enabling Hyper-V circumvents the need for admin credentials, as researcher Jonas Lykkegaard showed how he was able to drop an arbitrary file into the System32 folder and then modify it with user-level credentials.

Luckily, Hyper-V is disabled by default, so if you don’t use any sort of virtualization you won’t be vulnerable. However, if you enable the Windows Sandbox feature, which is often used for testing software, Hyper-V will automatically be enabled as well. The risk of this bug is low enough that the researcher decided not to submit it directly to Microsoft, so it is unclear if or when a patch will be released. The best advice here would be to keep your system up to date and to disable features that you aren’t using.

The next bug involves a feature on Windows 10 that most users have used – Themes. Whether it’s selecting a pre-packaged theme to get away from that default blue, or using our own wallpapers to customize, nearly everyone makes some sort of change to the appearance of their desktop. Some users go a step further and export their custom themes to share or import custom themes that others have built. This is where the vulnerability comes in. Researcher Jimmy Bayne recently showed that modified Windows 10 themes could be used in Pass-the-Hash attacks.

Bayne demonstrated how an attacker could create a theme file with a modified wallpaper setting that would request a remote resource requiring authentication. If user tries to install the theme, Windows will automatically attempt to access the remote resource using the credentials of the user that is currently logged into Windows. From there an attacker can harvest the credentials. Even worse, this attack will work with Microsoft account credentials, meaning attackers would be able to access users’ online resources as well. The easiest way to mitigate the threat is to enable two-factor authentication and avoid custom themes from third parties.