A proof-of-concept exploit for a vulnerability in Windows Themes has been released. The breach is tracked under the ID CVE-2023-38146 and allows remote code execution.
Experts gave the vulnerability the name "ThemeBleed". It is known that it received 8.8 CVSS points and can be used if the victim opens a specially prepared malicious file in the format .THEME.
Microsoft has eliminated CVE-2023-38146 with the release of the September update package. Users only need to install patches.
The vulnerability was pointed out by specialist Kirkpatrick after studying "strange file formats in Windows". One of these formats was .THEME, which is used to customize the appearance of the operating system.
Such files contain references to a different format — .msstyles, which should not contain code, only graphic resources.
As the researcher noted, when the version number is "999", the file is processed .MSSTYLES includes a noticeable discrepancy between the DLL signature verification time (_vrf.dll) and the moment when the library was loaded. This feature creates a race condition class problem.
Using a specially created file .MSSTYLES, an attacker can use this bug to replace a legitimate DLL with a malicious one. After analyzing it, Kirkpatrick created a demo exploit, which can be found at this address: https://github.com/gabe-k/themebleed
Experts gave the vulnerability the name "ThemeBleed". It is known that it received 8.8 CVSS points and can be used if the victim opens a specially prepared malicious file in the format .THEME.
Microsoft has eliminated CVE-2023-38146 with the release of the September update package. Users only need to install patches.
The vulnerability was pointed out by specialist Kirkpatrick after studying "strange file formats in Windows". One of these formats was .THEME, which is used to customize the appearance of the operating system.
Such files contain references to a different format — .msstyles, which should not contain code, only graphic resources.
As the researcher noted, when the version number is "999", the file is processed .MSSTYLES includes a noticeable discrepancy between the DLL signature verification time (_vrf.dll) and the moment when the library was loaded. This feature creates a race condition class problem.
Using a specially created file .MSSTYLES, an attacker can use this bug to replace a legitimate DLL with a malicious one. After analyzing it, Kirkpatrick created a demo exploit, which can be found at this address: https://github.com/gabe-k/themebleed
