Unofficial Patch Released for New Actively Exploited Windows MotW Vulnerability

An
unofficial
patch
has
been
made
available
for
an
actively
exploited
security
flaw
in
Microsoft
Windows
that
makes
it
possible
for
files
signed
with
malformed
signatures
to
sneak
past
Mark-of-the-Web
(MotW)
protections.

The
fix,

released

by
0patch,
arrives
weeks
after
HP
Wolf
Security

disclosed

a
Magniber
ransomware
campaign
that
targets
users
with
fake
security
updates
which
employ
a
JavaScript
file
to
proliferate
the
file-encrypting
malware.

While
files
downloaded
from
the
internet
in
Windows
are
tagged
with
a
MotW
flag
to
prevent
unauthorized
actions,
it
has
since
been
found
that
corrupt
Authenticode
signatures
can
be
used
to
allow
the
execution
of
arbitrary
executables
without
any

SmartScreen
warning
.


Authenticode

is
a
Microsoft
code-signing
technology
that
authenticates
the
identity
of
the
publisher
of
a
particular
piece
of
software
and
verifies
whether
the
software
was
tampered
with
after
it
was
signed
and
published.

“The
[JavaScript]
file
actually
has
the
MotW
but
still
executes
without
a
warning
when
opened,”
HP
Wolf
Security
researcher
Patrick
Schl├Ąpfer
noted.



Source:
Will
Dormann
Twitter

“If
the
file
has
this
malformed
Authenticode
signature,
the
SmartScreen
and/or
file-open
warning
dialog
will
be
skipped,”
security
researcher
Will
Dormann

explained
.

Now
according
to
0patch
co-founder
Mitja
Kolsek,
the
zero-day
bug
is
the
result
of
SmartScreen
returning
an
exception
when
parsing
the
malformed
signature,
which
is
incorrectly
interpreted
as
a
decision
to
run
the
program
rather
than
trigger
a
warning.

Fixes
for
the
flaw
also
come
less
than
two
weeks
after

unofficial
patches

were
shipped
for
another
zero-day
MotW
bypass
flaw
that
came
to
light
in
July
and
has
since
come
under
active
attack,
per
security
researcher

Kevin
Beaumont
.

The
vulnerability,
discovered
by
Dormann,
relates
to
how
Windows
fails
to
set
the
MotW
identifier
to
files
extracted
from
specifically
crafted
.ZIP
files.

“Attackers
therefore
understandably
prefer
their
malicious
files
not
being
marked
with
MOTW;
this
vulnerability
allows
them
to
create
a
ZIP
archive
such
that
extracted
malicious
files
will
not
be
marked,”
Kolsek
said.

Leave a Reply

Your email address will not be published. Required fields are marked *