Do you customize your Windows experience via themes?
If so, you're not alone. While it's true that themes aren't used by a majority of Windows users, they're still highly popular.
If you're creating your own themes, you don't have anything to worry about. The danger lies in downloading theme packs from others, especially if you get them from a source you don't know and trust implicitly.
Watch out for poisoned themes
Clever hackers can now create "poisoned" themes that can be used to steal Windows credentials. Security researcher Jimmy Bayne discovered the new flaw when he stumbled across a poisoned theme capable of tricking unsuspecting users into accessing a remote SMB share that requires authentication.
When the user attempts to access the remote resource that requires a login, Windows responds by automatically trying to log in, using your Windows user name and their hashed password. Naturally, the hacker sets up the attack so that they control the remote resource and thus, is able to harvest the credentials and dehash the password at their leisure.
Microsoft's use of Cloud exacerbates the issue
Microsoft has spent the last few years migrating away from local Windows 10 accounts and is leaning more heavily on the Cloud. This makes the theme-based attack much more likely to succeed.
Even worse, Microsoft has expressed no interest in fixing this particular flaw, because according to a spokesman for the company, it's working exactly as it is supposed to. That puts regular theme users in something of a bind.
What's the best defense?
Your first best defense against this type of attack is to make any themes you want to use yourself, or if you download a theme pack, be sure you're getting it from a trusted source.
Barring that, your only other viable option is to block or re-associate the .theme, .themepack, or .desktopthemepackfile extensions to a different program. This approach, however, will break the theme functionality, so it can only be used by those who don't need to frequently switch from one theme to another.
Our perspective
It's not a common attack, but it's definitely something to be on guard against.
~ As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there! " ~
By Denis Wilson and Melissa Stockwell
Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter.
I'm Denis Wilson, President and Principal Consultant for DWP Information Architects. We build people/process/technology solutions to create better business outcomes for smaller enterprises in Los Angeles. We have created cost-effective office productivity and out-sourced service solutions for over 20 years, focusing principally on manufacturing, professional services, and healthcare. Our hallmarks are cloud and on-premises network reliability, cost-effective cybersecurity, and livable small business regulatory compliance.
I am also a published author and speaker, working extensively with business and professional associations to provide small business technology education programs. Contact me if you would like me to speak at your association
