On the occasion of patch day in September 2023, Microsoft confirmed the existence of a problem affecting the management of Windows 11 themes and which can be exploited by cyber criminals to execute malicious code. Marked with the identifier CVE-2023-38146, it is one security flaw which, on vulnerable systems, causes arbitrary code to be loaded when simply double-clicking a file
How malicious code execution works from a Windows 11 theme
The vulnerability in question is nicknamed ThemeBleed by the researcher who spotted it, Gabe Kirkpatrick. The expert received a $5,000 reward for correctly and privately reporting it to Microsoft as part of its program bug bounty. We have already said how important bug bounty programs are also in the Public Administration sector.
The expert points out that when a user double-clicks on a file
.theme, Windows 11 execute the following command:
"C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\themecpl.dll,OpenThemeAction <percorso del file del tema>
The security problem, which can be leveraged to run code remotely simply by sending a malicious theme to the victim-user, it resides in the files
.msstyles, objects containing resources for use in the Windows theme. When the operating system loads a file of this type, a special function is integrated into the library
uxtheme.dll check the theme version.
If the read version is 999, the system invokes another function call
ReviseVersionIfNecessary which – until Microsoft intervened this month – presented a security flaw that allows the attacker to replace one of the libraries digitally signed with an unsigned one, which is in turn loaded and executed on the machine.
The author of the discovery also adds that normally the files
.theme they make the classic appear security warning which informs the user about the risks associated with opening a file coming from the Internet (Mark-of-the-Web). The appearance of the warning message, however, can be bypassed by creating a compressed file in CAB format (
.themepack) containing the element
.theme real. When opening a file
.themepack no warning appears in Windows, despite the presence of the Mark-of-the-Web.
How to fix the security issue and avoid malicious code execution
The mistake ThemeBleed at the moment it seems to concern exclusively Windows 11 systems and not previous releases of the Microsoft operating system. To solve the security problem linked to the incorrect management of Windows 11 themes, it is therefore essential to install thecumulative update of September 2023.
As Kirkpatrick confirms, Microsoft limited itself to only fixing the bug in the function
ReviseVersionIfNecessary while it persists race condition equally reported to the Redmond company. A race condition is a type of problem that occurs in computer systems, especially in multithreading or multiuser environments, in which the behavior of the program depends on the order in which the various operations are performed. This can lead to unpredictable or unwanted results, causing anomalous behaviors or errors in the software.
Finally, Microsoft has not yet resolved the problem of the absence of warnings (Mark-of-the-Web) for CAB files that also contain Windows themes.
The researcher who discovered ThemeBleed posted the code Proof-of-Concept (PoC) demonstrating the feasibility of aggression e start the calculator Windows by double-clicking on a theme.
In another article we saw how Windows themes can steal passwords and transfer them to third-party systems by exploiting the mechanism underlying NTLM, recently strengthened by Microsoft.