CVE-2023-28291
📋 TL;DR
CVE-2023-28291 is a remote code execution vulnerability in Microsoft's Raw Image Extension that allows attackers to execute arbitrary code by tricking users into opening specially crafted raw image files. This affects Windows systems with the Raw Image Extension installed, primarily putting users who process untrusted image files at risk.
💻 Affected Systems
- Microsoft Raw Image Extension
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining SYSTEM privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Limited user account compromise leading to data exfiltration, credential harvesting, or lateral movement within the network.
If Mitigated
No impact if systems are patched, users don't open untrusted raw image files, and proper application whitelisting is enforced.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious file). No public exploit code has been observed as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Raw Image Extension version 2.0.0.0 or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28291
Restart Required: No
Instructions:
1. Open Microsoft Store. 2. Click 'Library' in bottom left. 3. Click 'Get updates' to update all apps. 4. Alternatively, search for 'Raw Image Extension' and update manually. 5. Verify version is 2.0.0.0 or higher.
🔧 Temporary Workarounds
Uninstall Raw Image Extension
windowsRemove the vulnerable component entirely if not needed
Get-AppxPackage *Microsoft.RawImageExtension* | Remove-AppxPackage
Block raw image file extensions
windowsConfigure Windows Defender to block raw image file types
Add-MpPreference -ExclusionExtension .raw
Add-MpPreference -ExclusionExtension .cr2
Add-MpPreference -ExclusionExtension .nef
Add-MpPreference -ExclusionExtension .arw
🧯 If You Can't Patch
- Disable Raw Image Extension via Group Policy or registry settings
- Implement application control policies to block execution of Raw Image Extension
🔍 How to Verify
Check if Vulnerable:
Check Raw Image Extension version in Microsoft Store or via PowerShell: Get-AppxPackage *Microsoft.RawImageExtension* | Select VersionCheck Version:
Get-AppxPackage *Microsoft.RawImageExtension* | Select VersionVerify Fix Applied:
Confirm version is 2.0.0.0 or higher using same PowerShell command📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing Raw Image Extension crashes
- Process creation events for unexpected child processes from Microsoft.Photos.exe
Network Indicators:
- Unusual outbound connections from systems after opening image files
- DNS queries to suspicious domains following image processing
SIEM Query:
EventID=1 AND ParentImage LIKE '%Microsoft.Photos.exe%' AND NOT Image LIKE '%Microsoft.Photos.exe%'