{"id":22938,"date":"2023-09-18T16:10:45","date_gmt":"2023-09-19T00:10:45","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/09\/18\/news-16668\/"},"modified":"2023-09-18T16:10:45","modified_gmt":"2023-09-19T00:10:45","slug":"news-16668","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/09\/18\/news-16668\/","title":{"rendered":"ThemeBleed exploit is another reason to patch Windows quickly"},"content":{"rendered":"<p>Included in the <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/09\/patch-now-september-microsoft-patch-tuesday-includes-two-actively-exploited-zero-days\">September 2023 Patch Tuesday<\/a> updates was a fix for a vulnerability which has been dubbed ThemeBleed.&nbsp;A Proof-of-Concept (PoC)&nbsp;exploit has been&nbsp;<a href=\"https:\/\/exploits.forsale\/themebleed\/\" target=\"_blank\" rel=\"nofollow\">released<\/a> by Gabe Kirkpatrick, one of the researchers acknowledged for reporting the vulnerability.<\/p>\n<p>The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The ThemeBleed vulnerability was listed as&nbsp;<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-38146\" target=\"_blank\" rel=\"nofollow\">CVE-2023-38146<\/a>: a Windows Themes Remote Code Execution (RCE) vulnerability.<\/p>\n<p>Microsoft <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/advisory\/CVE-2023-38146\" target=\"_blank\" rel=\"nofollow\">assigned<\/a> a <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2020\/05\/how-cvss-works-characterizing-and-scoring-vulnerabilities\">CVSS score<\/a> of 8.8 (out of 10) and gave it a severity rating &ldquo;Important&rdquo;, saying:<\/p>\n<blockquote><p>&ldquo;An attacker would need to convince a targeted user to load a Windows Themes file on a vulnerable system with access to an attacker-controlled SMB share.&rdquo;<\/p><\/blockquote>\n<p>A <em>.theme<\/em> file is a configuration (<em>.ini<\/em>) text file that is divided into sections, which specify visual elements that appear on a Windows desktop. Section names are wrapped in brackets ([]) inside the <em>.ini<\/em> file. A .<em>theme<\/em> file enables you to change the appearance of certain desktop elements.<\/p>\n<p>A related file format, <em>.themepack<\/em>, was introduced with Windows 7 to help users share themes. A .<em>themepack<\/em> must include your <em>.theme<\/em> file, as well as the background picture, screen saver, and icons files.<\/p>\n<p>Themes can be selected in the Personalization Control Panel only in Windows 7 Home Premium or higher, or only on Windows Server 2008 R2 when the Desktop component is installed.<\/p>\n<p>The ThemeBleed exploit is based on a race condition that can be triggered by opening a specially crafted<em> .theme<\/em> file. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended.<\/p>\n<p>The <em>.theme<\/em> files contain references to <em>.msstyles<\/em>&nbsp;files, which should contain no code, only graphical resources that are loaded when the theme file invoking them is opened. When the .theme file is opened, the .<em>msstyles<\/em> file will also be loaded.<\/p>\n<p>The researcher found that invoking a check of the theme version calls the <em>ReviseVersionIfNecessary<\/em> function and does not safely load a signed DLL (<em>_vrf.dll<\/em>), because the DLL is closed after verifying the signature, and then re-opened when the DLL is loaded via a call to LoadLibrary. During that interval the file could be replaced by a malicious version.<\/p>\n<p>Another problem lies in the fact that if a user were to download a theme from the web, this triggers the &#8216;mark-of-the-web&#8217; (MOTW) warning. MOTW was originally an&nbsp;<a href=\"https:\/\/outflank.nl\/blog\/2020\/03\/30\/mark-of-the-web-from-a-red-teams-perspective\/\" target=\"_blank\" rel=\"nofollow\">Internet Explorer security feature<\/a>. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from who-knows-where. Over time, it even contributed to&nbsp;<a href=\"https:\/\/nolongerset.com\/motw-blocks-all-vba\/\" target=\"_blank\" rel=\"nofollow\">preventing certain types of files from running<\/a>. However, this could be bypassed if the attacker wrapped the theme into a <em>.themepack<\/em> file. When using the <em>.themepack<\/em> file, the contained .theme opens automatically without serving the MOTW warning.<\/p>\n<p>While Microsoft&rsquo;s fix has removed the functionality that triggers the theme version check to avoid the race condition, it has not fixed the more fundamental problem in the verification procedure of <em>.msstyles<\/em> files. Nor has it added MOTW warnings to <em>.themepack<\/em> files.<\/p>\n<p>The researcher notes that the vulnerability appears to be only present in Windows 11.<\/p>\n<hr \/>\n<p><strong>We don&rsquo;t just report on vulnerabilities&mdash;we identify them, and prioritize action.<\/strong><\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using <a href=\"https:\/\/www.malwarebytes.com\/business\/vulnerability-patch-management\">Malwarebytes Vulnerability and Patch Management<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/09\/themebleed-exploit-is-another-reason-to-patch-windows-quickly\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/exploits-and-vulnerabilities\" rel=\"category tag\">Exploits and vulnerabilities<\/a><\/p>\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Tags: theme<\/p>\n<p>Tags:  themepack<\/p>\n<p>Tags:  Microsoft<\/p>\n<p>Tags:  cve-2023-38146<\/p>\n<p>Tags:  msstyles<\/p>\n<p>An exploit has been released for a vulnerability in .themes that was patched in the September 2023 Patch Tuesday update.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/09\/themebleed-exploit-is-another-reason-to-patch-windows-quickly\" title=\"ThemeBleed exploit is another reason to patch Windows quickly\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/09\/themebleed-exploit-is-another-reason-to-patch-windows-quickly\">ThemeBleed exploit is another reason to patch Windows quickly<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[30148,22783,10516,30149,32,28285,30147],"class_list":["post-22938","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cve-2023-38146","tag-exploits-and-vulnerabilities","tag-microsoft","tag-msstyles","tag-news","tag-theme","tag-themepack"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22938","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22938"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22938\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22938"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22938"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22938"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}