Comments from Microsoft have been uploaded.
If you like to customize your Windows 10 desktop with third-party themes, beware: these themes can steal your Microsoft account password, and there appears to be no fix.
This information comes from Twitter user "Bohops," aka security researcher Jimmy Bayne, via Bleeping Computer. Bayne discovered that Windows 10's .theme file can be configured to download images from the Internet Bayne discovered that Windows 10's .theme file can be configured to automatically download images from the Internet. [In order to download the images, the theme file requires the user name and password for a Windows account.
Both credentials are sent to the server hosting the image. The username is sent in plain text and the password is sent as an NTLM hash. [The problem with the NTLM hash is here: the NTLM hash can be easily "cracked" using any of the free password cracking programs. If someone, say someone running a server hosting a third-party desktop theme image, gets the NTLM hash of a Windows account password, that password can be cracked in a matter of seconds.
If your PC is configured for remote desktop access, an attacker can log on as you using your Windows user name and password. Fortunately, remote desktop access is not built into Windows 10 Home and is not enabled by default in Windows 10 Pro or Enterprise.
Things get even worse when you log on to your computer using your Microsoft account credentials.
Stolen Windows account credentials only give the attacker access to the local machine, but Microsoft account credentials give the attacker access to Xbox Live, Office 365, OneDrive, Outlook.com, and other Microsoft-related services, giving the attacker access to the account.
This situation is unlikely to be resolved anytime soon; sending NTLM hashes to random servers has been a Windows feature for 20 years. Microsoft's insistence on using Microsoft account credentials when setting up a new PC is a recent development. Microsoft's insistence on using Microsoft account credentials when setting up a new PC is a recent development, but no less pervasive.
Bayne said in his Twitter thread that he reported the situation to Microsoft but was told it would not be fixed because it was a "design feature."
Tom's Guide has reached out to Microsoft for comment and will update this article as soon as we hear back.
To protect yourself, you can only take the following steps:
Don't download third-party desktop themes from random websites or accept one that someone has sent you in the mail. from the Microsoft Store Only obtain them from the Microsoft Store.
Learn how to set up two-factor authentication. This will make it much harder for an attacker to log into your Microsoft account, even if you have a password.
Use this new account for your everyday computing needs. This way, the login process will not be able to access your Microsoft account. Here are the instructions.
To make it even more secure, make sure that this second Windows account has only limited privileges. That way, you will not be able to install, remove, or modify most programs, but neither will any malware that steals your credentials or downloads by mistake.
Type "remote settings" in the Cortana search box in the lower left corner of the screen and select "remote desktop settings."
You may get a message that your edition does not support remote desktop, in which case you are done. If not, look for the [Enable Remote Desktop] switch and make sure it is off.
Bleeping Computer recommends this step, but believes that only very technically proficient users should attempt it. Please be aware that tinkering with the registry can pose serious risks.
Microsoft issued the following statement in response to our request for comment:
"Microsoft has committed to its customers to investigate reported security issues and will provide updates to affected devices as soon as possible. Microsoft has committed to its customers that it will investigate any reported security issues and will provide updates to affected devices as soon as possible.
.
Comments