Actively exploited Windows Mark-of-the-Web zero-day received an unofficial patch

Pierluigi Paganini October 31, 2022

An unofficial patch for an actively exploited flaw in Microsoft Windows that allows to bypass Mark-of-the-Web (MotW) protections.

0patch released an unofficial patch to address an actively exploited security vulnerability in Microsoft Windows that could allow bypassing Mark-of-the-Web (MotW) protections by using files signed with malformed signatures.

The issue affects all supported and multiple legacy Windows versions.

HP Wolf Security recently spotted a Magniber campaign targeting Windows home users with fake security updates.

“Patrick works at HP Wolf Security where they analyzed the Magniber Ransomware and wrote a detailed analysis of its working. Will asked Patrick about the ZIP files used in the malware campaign to see if they were exploiting the same vulnerability or employing some other trick to bypass the “Mark of the Web.” reads the report published by 0patch.

Patrick explained that malicious files extracted from the attacker’s ZIP files were executed without security warnings even if they missed the Mark of the Web.

In order to prevent unauthorized actions, files downloaded from the internet in Windows are tagged with a MotW flag. The experts discovered that corrupt Authenticode signatures allow the execution of arbitrary executables without any SmartScreen warning.

According to 0patch, Windows fails to properly parse the signature and for this reason, trusts them and lets malicious executables execute without a warning.

“The malformed signature discovered by Patrick and Will caused SmartScreen.exe to throw an exception when the signature could not be parsed, resulting in SmartScreen returning an error. Which we now know means “Run.”” concludes the report. “You can see the effect of our micropatch in the following video.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Mark-of-the-Web)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment