Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Unofficial Patch Released for New Actively Exploited Windows MotW Vulnerability

An unofficial patch has been made available for an actively exploited security flaw in Microsoft Windows that makes it possible for files signed with malformed signatures to sneak past Mark-of-the-Web (MotW) protections.

The fix, released by 0patch, arrives weeks after HP Wolf Security disclosed a Magniber ransomware campaign that targets users with fake security updates which employ a JavaScript file to proliferate the file-encrypting malware.

While files downloaded from the internet in Windows are tagged with a MotW flag to prevent unauthorized actions, it has since been found that corrupt Authenticode signatures can be used to allow the execution of arbitrary executables without any SmartScreen warning.

Authenticode is a Microsoft code-signing technology that authenticates the identity of the publisher of a particular piece of software and verifies whether the software was tampered with after it was signed and published.

“The [JavaScript] file actually has the MotW but still executes without a warning when opened,” HP Wolf Security researcher Patrick Schläpfer noted.

Source: Will Dormann Twitter

“If the file has this malformed Authenticode signature, the SmartScreen and/or file-open warning dialog will be skipped regardless of script contents, as if there is no MotW on the file,” security researcher Will Dormann explained.

Now according to 0patch co-founder Mitja Kolsek, the zero-day bug is the result of SmartScreen returning an exception when parsing the malformed signature, which is incorrectly interpreted as a decision to run the program rather than trigger a warning.

Fixes for the flaw also come less than two weeks after unofficial patches were shipped for another zero-day MotW bypass flaw that came to light in July and has since come under active attack, per security researcher Kevin Beaumont.

The vulnerability, discovered by Dormann, relates to how Windows fails to set the MotW identifier to files extracted from specifically crafted .ZIP files.

“Attackers therefore understandably prefer their malicious files not being marked with MotW; this vulnerability allows them to create a ZIP archive such that extracted malicious files will not be marked,” Kolsek said.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Mobile security company Zimperium’s zLabs has released a warning about a notorious Android trojan that has stolen around 300,000 credentials…
8 Reasons Why Enterprises Use Java

8 Reasons Why Enterprises Use Java

Java is one of the most well-known programming languages and software platforms that is used on countless devices such as…
360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

Previously we covered the news of a database containing 487 million up-to-date WhatsApp user records from 84 countries being sold…