Workstations At Risk: Unveiling the RCE Bug

Wajahat Raja

September 25, 2023 - TuxCare expert team

Recently, the world was made aware of a major vulnerability lurking within Windows Themes, tagged as CVE-2023-38146. This vulnerability, called ‘ThemeBleed,’ has a high severity rating of 8.8 and has sparked worry owing to the possibility of remote attackers executing malicious code. This blog investigates the Windows 11 RCE Bug in full, offering light on its origins, repercussions, and measures for mitigating Windows 11 RCE risk.

The Birth of ThemeBleed

Gabe Kirkpatrick, a dedicated security researcher, discovered this Windows 11 security vulnerability while looking into unusual Windows file types. Among these, he delves into the complexities of “.THEME” files, which are largely used to customize the appearance of the operating system. These files, which are normally safe, contain references to ‘.msstyles’ files, which are intended to contain only graphical resources and no executable code.

Unmasking the Windows 11 RCE Bug

Kirkpatrick’s keen eye detected a big inconsistency when he came across the use of a version number, “999.” This seemingly benign option generated a race condition within the function in charge of handling the ‘.MSSTYLES’ files, specifically the verification of a DLL’s signature (‘_vrf.dll’). This vulnerability provided a possibility for an attacker to replace a validated DLL with a malicious one, allowing remote code execution in Windows 11.

To demonstrate the seriousness of this critical Windows 11 bug, Kirkpatrick created a Proof-of-Concept (PoC) exploit that, when a theme file is launched, immediately opens the Windows Calculator. However, due to the ‘mark-of-the-web’ warning, observant users may still be warned of potential hazards while downloading theme files from the internet. Unfortunately, this defense mechanism can be bypassed by enclosing the theme in a ‘.THEMEPACK’ file, which is simply a CAB archive. When such a CAB file is launched, the integrated theme completely bypasses the ‘mark-of-the-web’ warning. This highlights the importance of Windows 11 exploit mitigation strategies.

Security Response For Windows 11 Bug

Microsoft acted quickly, recognizing the gravity of the situation. They resolved CVE-2023-38146 in their September 2023 Windows 11 RCE patch 12th September update by totally deleting the problematic “version 999” capability. However, as Kirkpatrick pointed out, the fundamental race problem continues to exist. Furthermore, Microsoft security advisory has yet to address the issue of themepack files lacking ‘mark-of-the-web’ warnings.

Windows 11 Vulnerability Assessment and Implications

Beyond the specifics of this Windows 11 zero-day exploit, it highlights a larger issue. Workstations and endpoints, which frequently run end-user software and operating systems, can be used by hostile actors to gain access to corporate networks. Attackers obtain an internal foothold after being penetrated, allowing them to examine systems that were previously separated from external threats. This Windows operating system vulnerability highlights the crucial need for strong cybersecurity security measures, frequent upgrades, and awareness among users.

Conclusion

The cybersecurity threat to Windows 11 serves as a sharp reminder of the ever-present hazards in the growing landscape of cybersecurity threats. Windows 11 security advisory recommends users install Microsoft’s September 2023 security updates as soon as possible since they not only address CVE-2023-38146 but also resolve two zero-day vulnerabilities that are presently being exploited.

With 57 more security patches for various apps and system components, this Windows 11 security update is an important step in bolstering your systems’ digital defenses. In an era where the line between online and offline is increasingly blurred, proactive measures are paramount in safeguarding against potential bugs behind vulnerabilities like this Windows 11 zero-day disclosure.

The sources for this piece include articles in Vulnera and BleepingComputer.

Summary