Microsoft has discovered an arbitrary code execution vulnerability in Windows 11. The vulnerability is a result of multiple factors, including a race condition called Time-of-Check Time-of-Use (TOCTOU), malicious Dynamic-Link Library (DLL) files, cab files, and the absence of Mark-of-the-Web validation. The company’s Security Response Center (MSRC) has been notified about the issue.
Windows 11 supports .theme files, which are used to customize the appearance of the operating system. These files reference .msstyles files, which specify the icons to be used in the theme. When a user clicks on a .theme file, it triggers certain commands that are executed by rundll32.exe.
During the loading of the .msstyles file, a function called LoadThemeLibrary in uxtheme.dll checks the version of the theme by loading the PACKTHEM_VERSION resource. If the version is read as 999, the function ReviseVersionIfNecessary is called. This function creates a new file path for the .msstyles file, appending “_vrf.dll” to it. The signature on the _vrf.dll file is then verified.
Here’s where the vulnerability comes into play. A threat actor can take advantage of the time frame between the closing and loading of the _vrf.dll file to replace it with a malicious DLL. This allows them to execute arbitrary code on the system, potentially gaining unauthorized access and compromising the security of the device.
Moreover, a .theme file downloaded from the internet usually triggers a security warning due to the presence of “Mark-of-the-Web” on the file. However, this warning can be bypassed by embedding the .theme file in a .themepack file, which doesn’t display the warning.
To demonstrate this vulnerability, a researcher has published a proof-of-concept on GitHub. The proof-of-concept consists of an SMB server executable and a .theme file. Microsoft has released a fix for the issue, removing the functionality related to “version 999.” However, the fix does not address the TOCTOU issue in the signing of .msstyles files, and it does not add Mark-of-the-Web warnings on .themepack files.
Organizations using Windows 11 are advised to follow specific steps to prevent this vulnerability from being exploited. By implementing security measures and staying informed about the latest cybersecurity news, organizations can reduce the risk of unauthorized access and protect their systems from potential attacks.
For more information and updates on cybersecurity news, you can follow various channels, such as Google News, LinkedIn, Twitter, and Facebook, to stay informed and stay ahead of emerging threats.