Jump to content
  • Windows Mark of the Web bypass zero-day gets unofficial patch

    alf9872000

    • 355 views
    • 3 minutes
     Share


    • 355 views
    • 3 minutes

    A free unofficial patch has been released through the 0patch platform to address an actively exploited zero-day flaw in the Windows Mark of the Web (MotW) security mechanism.

     

    This flaw enables attackers to prevent Windows from applying (MotW) labels on files extracted from ZIP archives downloaded from the Internet.

     

    Windows automatically adds MotW flags to all documents and executables downloaded from untrusted sources, including files extracted from downloaded ZIP archives, using a special 'Zone.Id' alternate data stream.

     

    These MotW labels tell Windows, Microsoft Office, web browsers, and other apps that the file should be treated with suspicion and will cause warnings to be displayed to the user that opening the files could lead to dangerous behavior, such as malware being installed on the device. 

     

    Will Dormann, a senior vulnerability analyst at ANALYGENCE, who first spotted ZIP archives not properly adding MoTW flags, reported the issue to Microsoft in July.

     

    Although Microsoft opened and read the report more than two months ago, in August, the company hasn't yet released a security update to fix the flaw.

     

     
    As ACROS Security CEO and co-founder of the 0patch micropatching service Mitja Kolsek explains, MotW is an essential Windows security mechanism since Smart App Control will only work on files with MotW flags and Microsoft Office will only block macros on documents tagged with MotW labels.
     

    "Attackers therefore understandably prefer their malicious files not being marked with MOTW; this vulnerability allows them to create a ZIP archive such that extracted malicious files will not be marked," Kolsek said.

     

    "An attacker could deliver Word or Excel files in a downloaded ZIP that would not have their macros blocked due to the absence of the MOTW (depending on Office macro security settings), or would escape the inspection by Smart App Control."

    Free micropatches until Microsoft releases a fix

    Since the zero-day was reported to Microsoft in July, it has been detected as exploited in attacks to deliver malicious files on victims' systems.

     

    Until Microsoft releases official updates to address the flaw, 0patch has developed free patches for the following affected Windows versions:

    1. Windows 10 v1803 and later
    2. Windows 7 with or without ESU
    3. Windows Server 2022
    4. Windows Server 2019
    5. Windows Server 2016
    6. Windows Server 2012
    7. Windows Server 2012 R2
    8. Windows Server 2008 R2 with or without ESU

     

    To install the micropatches on your Windows device, register a 0patch account and install its agent.

     

    They will be applied automatically after launching the agent without requiring a system restart if there are no custom patching policies to block it.

     

    You can see 0patch's Windows micropatches in action in the video below.

     

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...