A pre-installed application on Windows 10 has a major security hole

First introduced as part of Microsoft's Creators Update in 2016, Paint 3D was originally intended as a replacement for Microsoft Paint that has shipped with the company's operating system since Windows 10.

However, the 3D modeling software is not as expected. That's why Paint and Paint 3D continue to exist side by side on Windows. This could change soon as Paint 3D was not included in the recently leaked Windows 11 build.

Although difficult to exploit, the recently discovered vulnerability, now patched by Microsoft, could be another reason Paint 3D's era may be buried.

Vulnerability in Paint 3D (CVE-2021-31946) could be exploited by an attacker to execute arbitrary code after a user accesses or opens a malicious file following security advice from ZDI.

However, to exploit this vulnerability, an attacker would first need to gain privilege escalation on a targeted system before convincing a user to open a malicious file or website.

Earlier this year, ZDI discovered this vulnerability using a technique known as fuzzing. In February, they reported their findings to Microsoft. Thankfully, security researchers have not observed the exploit in practice or in pre-existing POC code, which means Windows users are safe for now.

At the same time, Microsoft has also released a patch to address the vulnerability through the Microsoft Store.

If you haven't set up automatic updates in the Microsoft Store, you can also download the update manually.

We'll have to wait and see if Paint 3D is dropped in the next version of Windows.

Jessica Tanner

Update 17 June 2021