0patch released an unofficial patch to address an actively exploited security vulnerability in Microsoft Windows that could allow bypassing Mark-of-the-Web (MotW) protections by using files signed with malformed signatures.
The issue affects all supported and multiple legacy Windows versions.
HP Wolf Security recently spotted a Magniber campaign targeting Windows home users with fake security updates.
“Patrick works at HP Wolf Security where they analyzed the Magniber Ransomware and wrote a detailed analysis of its working. Will asked Patrick about the ZIP files used in the malware campaign to see if they were exploiting the same vulnerability or employing some other trick to bypass the “Mark of the Web.” reads the report published by 0patch.
Patrick explained that malicious files extracted from the attacker’s ZIP files were executed without security warnings even if they missed the Mark of the Web.
In order to prevent unauthorized actions, files downloaded from the internet in Windows are tagged with a MotW flag. The experts discovered that corrupt Authenticode signatures allow the execution of arbitrary executables without any SmartScreen warning.
According to 0patch, Windows fails to properly parse the signature and for this reason, trusts them and lets malicious executables execute without a warning.
“The malformed signature discovered by Patrick and Will caused SmartScreen.exe to throw an exception when the signature could not be parsed, resulting in SmartScreen returning an error. Which we now know means “Run.”” concludes the report. “You can see the effect of our micropatch in the following video.”
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Mark-of-the-Web)
[adrotate banner=”5″]
[adrotate banner=”13″]
Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…
Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…
Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…
The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…
This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…
This website uses cookies.