Public Vulnerability Reports

Microsoft Windows Theme ScreenSaver Remote Code Execution Vulnerability

09.10.13

BACKGROUND

Microsoft Windows is an operating system produced by Microsoft. More information can be found at the following vendor's website:

http://windows.microsoft.com

DESCRIPTION

Remote exploitation of a design error in Microsoft Corp.'s Windows handling of theme files could allow an attacker to execute arbitrary code with the privileges of the current user.

The Windows theme file format is simply a configuration file that allows users to create and save themes. Typically, these themes are shared with other users over the Internet. The screensaver configuration value of the theme file can be set to a UNC path. The UNC path can point to either local network locations or remote WebDAV servers. This would allow the theme file to remotely grab the screensaver .SCR file, which is Microsoft considers to be a dangerous file format since it is an executable file.

ANALYSIS

Exploitation of this issue would allow an attacker to execute arbitrary code on the victim's computer with the privileges of the current user. An attacker would need to use social engineering techniques to trick a victim into downloading an opening a maliciously crafted theme file. Once the file is opened by the victim and selected at the current theme, the screensaver .SCR file will be downloaded from a remote location of the attacker's choosing once the screensaver becomes active. This attack also allows an attacker some level of persistence on the victim's computer because the screensaver will be downloaded each time the screensaver is set to run after a user has been idle.

DETECTION

The following Microsoft products are vulnerable to this issue:

  • Windows XP
  • Windows Vista SP2
  • Windows 7
  • Windows Server 2003 SP2
  • Windows Server 2008 SP2

WORKAROUND

Disabling the Theme service will prevent exploitation of this issue.

VENDOR RESPONSE

Microsoft has released a fix which addresses this issue. For more information, consult their advisory at the following URL:

http://technet.microsoft.com/en-us/security/bulletin/ms13-071

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2013-0810 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

DISCLOSURE TIMELINE

04/03/2013 Initial Vendor Notification
04/03/2013 Initial Vendor Reply
09/10/2013 Coordinated Public Disclosure

CREDIT

This vulnerability was reported to iDefense by Eduardo Prado.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2013 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense Verisign. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.