Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit

  /     /     /  
Publicated : 23/11/2024   Category : security


Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit


A pair of Microsoft bugs allow cyberattackers to bypass native Windows Internet download security, says former CERT CC researcher who discovered the flaws.



Two separate vulnerabilities exist in different versions of Windows that allow attackers to sneak malicious attachments and files past Microsofts Mark of the Web (MoTW) security feature.
Attackers are actively exploiting both issues, according to Will Dormann, a former software vulnerability analyst with CERT Coordination Center (CERT/CC) at Carnegie Mellon University, who discovered the two bugs. But so far, Microsoft has not issued any fixes for them, and no known workarounds are available for organizations to protect themselves, says the researcher, who has been credited with discovering numerous zero-day vulnerabilities over his career.
MotW is a Windows feature designed to protect users against files from untrusted sources. The mark itself is
a hidden tag that Windows attaches
to files downloaded from the Internet. Files that carry the MotW tag are restricted in what they do and how they function. For example, starting with MS Office 10, MotW-tagged files open by default in Protected View, and executables are first vetted for security issues by Windows Defender before they are allowed to run.
Many Windows security features — [such as] Microsoft Office Protected view, SmartScreen, Smart App Control, [and] warning dialogs — rely on the presence of the MotW to function, Dormann, who is presently a senior vulnerability analyst at Analygence, tells Dark Reading.
Dormann reported the first of the two MotW bypass issues to Microsoft on July 7. According to him, Windows fails to apply the MotW to files extracted from specifically crafted .ZIP files.
Any file contained within a .ZIP can be configured in a way so that when its extracted, it will not contain MOTW markings, Dorman says. This allows an attacker to have a file that will operate in a way that makes it appear that it did not come from the Internet. This makes it easier for them to trick users into running arbitrary code on their systems, Dormann notes.
Dormann says he cannot share details of the bug, because that would give away how attackers could leverage the flaw. But he says it affects all versions of Windows from XP on. He says one reason he has not heard from Microsoft likely is because the vulnerability was reported to them via CERTs Vulnerability Information and Coordination Environment (VINCE), a platform that he says Microsoft has refused to use.
I havent worked at CERT since late July, so I cannot say if Microsoft has attempted to contact CERT in any way from July on, he cautions.
Dormann says other security researchers have reported seeing attackers actively exploiting the flaw. One of them is security researcher Kevin Beaumont, a former threat intelligence analyst at Microsoft. In a tweet thread earlier this month, Beaumont reported the flaw as being exploited in the wild.
This is without a doubt the
dumbest zero day I’ve worked on
, Beaumont said.
In a separate tweet a day later, Beaumont said he wanted to release detection guidance for the issue but was concerned about the potential fallout.
If Emotet/Qakbot/etc find it they will 100% use it at scale, he warned.
In an emailed comment a Microsoft spokeswoman said the company is aware of the technique and are investigating to determine the appropriate steps to address the issue

 The statement did not say which of the two MoTW related issues Microsoft is investigating or might be planning to address. Meanwhile, Slovenia-based security firm Acros Security last week
released an unofficial patch
for this first vulnerability via its 0patch patching platform.
In comments to Dark Reading, Mitja Kolsek, CEO and co-founder of 0patch and Acros Security, says he was able to confirm the vulnerability that Dormann reported to Microsoft in July. 
Yes, it is ridiculously obvious once you know it. Thats why we didnt want to reveal any details, he says. He says the code performing the unzipping of .ZIP files is flawed and only a code patch can fix that. There are no workarounds, Kolsek says.
Kolsek says the issue is not difficult to exploit, but he adds the vulnerability alone is not enough for a successful attack. To exploit successfully, an attacker would still need to convince a user into opening a file in a maliciously crafted .ZIP archive — sent as an attachment via a phishing email or copied from a removable drive such as a USB stick for instance.
Normally, all files extracted from a .ZIP archive that is marked with MotW would also get this mark and would therefore trigger a security warning when opened or launched, he says, but the vulnerability definitely allows attackers a way to bypass the protection. We are not aware of any mitigating circumstances, he adds. 
Kolsek noted that his firm has a patch candidate ready for the second issue as well and should release it by Friday.
This second vulnerability involves the handling of MotW tagged files that have corrupt Authenticode digital signatures.
Authenticode is a Microsoft code-signing technology
that authenticates the identity of the publisher of a particular piece of software and determines whether the software was tampered with after it was published.
Dormann says he discovered that if a file has a malformed Authenticode signature, it will be treated by Windows as if it had no MotW; the vulnerability causes Windows to skip SmartScreen and other warning dialogs before executing a JavaScript file.
Windows appears to fail open when it encounters an error [when] processing Authenticode data, Dormann says, and it will no longer apply MotW protections to Authenticode-signed files, despite them actually still retaining the MotW.
Dormann describes the issue as affecting every version of Windows from version 10 on, including the server variant of Windows Server 2016. The vulnerability gives attackers a way to sign any file that can be signed by Authenticode in a corrupt manner — such as .exe files and JavaScript files — and sneak it past MOTW protections.
Dormann says he learned of the issue after reading an HP Threat Research blog from earlier this month about a
Magniber ransomware campaign
involving an exploit for the flaw.
Its unclear if Microsoft is taking action, but for now, researchers continue to raise the alarm. I have not received an official response from Microsoft, but at the same time, I have not officially reported the issue to Microsoft, as Im no longer a CERT employee, Dormann says. I announced it publicly via Twitter, due to the vulnerability being used by attackers in the wild.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit