An actively exploited zero-day in the Windows operating system involving the Windows Mark of the Web (MotW) security feature has received a micropatch from a third party company called 0patch. MotW is a feature that ‘marks’ files downloaded from the internet from non-trusted sources. This mark tells other software that the marked file should be treated with caution and warns the user that execution of the file could allow malicious behavior.
Unfortunately, there are inconsistencies in the application of MotW for ZIP and ISO files. Senior vulnerability analyst Will Dormann has demonstrated that “without trying too hard” he could craft a ZIP file whose contents, when extracted, would not bear the MotW. This presents an attractive method of malware delivery for threat actors, preferring that their malware not be subject to the MotW limitations.
Microsoft has been aware of this flaw since August 2022 but have yet to release an update that fixes the issue. However, the 0patch micropatching service has released their own patch for this MotW flaw. The free patch can be applied to the following Windows versions:
- Windows 10 v1803 and later
- Windows 7 with or without ESU
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2008 R2 with or without ESU
Analyst Notes
MotW is an essential security mechanism, especially when it comes to malicious Microsoft Office documents that contain macros. By default, Office will only block macros in files that contain the MotW, allowing threat actors to abuse this flaw to smuggle in malicious macros with no warning to users. It is recommended to disable macros via Group Policy until Microsoft releases an official patch for the MotW flaw.
https://www.bleepingcomputer.com/news/microsoft/windows-mark-of-the-web-bypass-zero-day-gets-unofficial-patch/
