ThemeBleed exploit is another reason to patch Windows quickly

Included in the September 2023 Patch Tuesday updates was a fix for a vulnerability which has been dubbed ThemeBleed. A Proof-of-Concept (PoC) exploit has been released by Gabe Kirkpatrick, one of the researchers acknowledged for reporting the vulnerability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The ThemeBleed vulnerability was listed as CVE-2023-38146: a Windows Themes Remote Code Execution (RCE) vulnerability.

Microsoft assigned a CVSS score of 8.8 (out of 10) and gave it a severity rating “Important”, saying:

“An attacker would need to convince a targeted user to load a Windows Themes file on a vulnerable system with access to an attacker-controlled SMB share.”

A .theme file is a configuration (.ini) text file that is divided into sections, which specify visual elements that appear on a Windows desktop. Section names are wrapped in brackets ([]) inside the .ini file. A .theme file enables you to change the appearance of certain desktop elements.

A related file format, .themepack, was introduced with Windows 7 to help users share themes. A .themepack must include your .theme file, as well as the background picture, screen saver, and icons files.

Themes can be selected in the Personalization Control Panel only in Windows 7 Home Premium or higher, or only on Windows Server 2008 R2 when the Desktop component is installed.

The ThemeBleed exploit is based on a race condition that can be triggered by opening a specially crafted .theme file. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended.

The .theme files contain references to .msstyles files, which should contain no code, only graphical resources that are loaded when the theme file invoking them is opened. When the .theme file is opened, the .msstyles file will also be loaded.

The researcher found that invoking a check of the theme version calls the ReviseVersionIfNecessary function and does not safely load a signed DLL (_vrf.dll), because the DLL is closed after verifying the signature, and then re-opened when the DLL is loaded via a call to LoadLibrary. During that interval the file could be replaced by a malicious version.

Another problem lies in the fact that if a user were to download a theme from the web, this triggers the ‘mark-of-the-web’ (MOTW) warning. MOTW was originally an Internet Explorer security feature. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from who-knows-where. Over time, it even contributed to preventing certain types of files from running. However, this could be bypassed if the attacker wrapped the theme into a .themepack file. When using the .themepack file, the contained .theme opens automatically without serving the MOTW warning.

While Microsoft’s fix has removed the functionality that triggers the theme version check to avoid the race condition, it has not fixed the more fundamental problem in the verification procedure of .msstyles files. Nor has it added MOTW warnings to .themepack files.

The researcher notes that the vulnerability appears to be only present in Windows 11.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.