HQ/EMEAFind out how we can help your business
Windows 11’s ThemeBleed RCE vulnerability, tracked as CVE-2023-38146, now has a publicly available proof-of-concept exploit code. This exploit code could allow remote attackers to execute code. ThemeBleed received a high-severity score of 8.8 out of 10.
Moreover, threat actors can exploit this bug once a targeted user accesses a malicious [.]THEME file that the attacker has developed.
Microsoft received alerts about this bug last May and awarded the researcher who discovered the attack $5,000. Microsoft addressed CVE-2023-38146 two days ago in September 2023 and issued a patch in one of their Tuesday updates.
The ThemeBleed RCE first emerged in an unusual Windows file format.
Based on reports, the ThemeBleed RCE vulnerability appeared in one unusual Windows file format, including [.]THEME files used to customise the operating system’s appearance.
These files typically reference ‘.msstyles’ files, which should include only graphical resources and no code. However, when the code uses a version number of “999”, a discrepancy arises between the verification time of DLL’s signature and the loading of library loads, creating a race scenario.
In addition, an attacker can exploit this race window to replace a verified DLL with a malicious one, thereby gaining the ability to execute arbitrary code on the target machine using a specially crafted [.]MSSTYLES file.
The researcher developed a Proof-of-Concept (PoC) exploit that causes the Windows Calculator to open when a user launches a theme file.
It is also highlighted that downloading a theme file from the web activates a ‘mark-of-the-web’ warning, which could alert the user to the potential threat.
Unfortunately, attackers can bypass this warning by attaching the theme to a [.]THEMEPACK file, a CAB archive. Threat actors could launch the CAB file through a contained piece that automatically opens without alerting the mark-of-the-web warning.
Microsoft tackled the issue by removing the “version 999” functionality, but the race condition still exists. Furthermore, the company did not address the absence of mark-of-the-web warnings for themepack files.
Windows users should immediately employ Microsoft’s September 2023 security update packages to prevent exploits from threat actors. This incident shows the importance of applying updates as soon as possible. Users should practice such behaviour to avoid future compromises.
