Description
Attackers are actively exploiting two vulnerabilities existing in Windows Mark-of-the-Web (MotW) that allows malicious attachments to sneak pass the security features meant to protect users.
Summary
Windows Mark-of-the-Web (MotW) is a security feature designed to protect users from any unverified files obtained from untrusted sources, that is from the internet or any external media or device. The MotW works by attaching a hidden tag to unverified files and these files are then restricted in what they can do and how they function. Actions from these files will need to be approved by the user. An example of the MotW in action is using Microsoft Office where MotW-tagged files are opened by default in Protected View, or when an executable is first vetted for security issues by Windows Defender before they are allowed to run. All of these Windows security features such as Microsoft Office Protected view, SmartScreen, Smart App Control and warning dialogs rely on the operation of the MotW to function.
The first vulnerability, discovered by Will Dormann in May 2022, shows Windows failing to apply the MotW to files extracted from special crafted .ZIP files. Much was not revealed on how the exploit was carried out; however, it is said to affect all versions of Windows from XP onwards. The attacker configures a special .ZIP with files that can be extracted without the MotW markings, and this allows these files to operate in any manner and execute without any warning.
The second vulnerability deals with Windows handling MotW-tagged files that have malicious Authenticode digital signatures. This was also discovered by the researcher Will Dormann in October 2022, while investigating a disclosed Magniber ransomware campaign which employed a JavaScript file to proliferate the file-encrypting malware. Whats interesting is that the malicious JavaScript file had the MotW marking yet Windows did not display any warnings when the file was executed. It was then discovered that the file was digitally signed using a malformed Authenticode signature. Authenticode is a Microsoft code-signing technology that authenticates the identity of the publisher of a particular piece of software and determines whether the software was tampered with after it was published. Dormann elaborated that when a malicious file signed with malformed signature is executed, Windows will execute the file instead of showing a security warning or have the SmartScreen preventing the file from running. Windows appears to “fail open” when it encounters an error processing Authenticode signature and this causes it to no longer apply MotW protections to Authenticode-signed files, despite these files still retaining the MotW. The vulnerability can give attackers a way to sign any file such as .exe files and JavaScript files using the Authenticode in a corrupt manner and sneak them past MotW protections. This vulnerability is said to affect every version of Windows from version 10 on to 11, and Windows Server 2016, 2019 and 2022.
Remediation
Microsoft is yet to address these issues so there is currently no official remediation for these vulnerabilities. There are unofficial patches available, however we simply cannot recommend them. There are a few tips users can follow to better safeguard devices until the issues have been handled by Microsoft. Users are advised to review the tips below:
Be careful when opening .ZIP files, especially when acquired from unverified sources on the internet. Have these .ZIP files scanned with reputable anti-virus software and check the properties of the files to see if they are tagged with the MotW.
Be wary of executables that have a MotW tag but executes right away without any security warning pop-up or SmartScreen pop-up. When executed, any file with the MotW tag will ask for the users permission to continue the execution. If this does not happen, isolate the device and have it scanned with a reputable anti-virus.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Windows Mark-of-the-Web remains vulnerable.pdf
References
Abrams, L. (2022, October 30). Actively exploited Windows MoTW zero-day gets unofficial patch. Retrieved from BleepingComputer. https://www.bleepingcomputer.com/news/microsoft/actively-exploited-windows-motw-zero-day-gets-unofficial-patch/
Lakshmanan, R. (2022, October 31). Unofficial Patch Released for New Actively Exploited Windows MotW Vulnerability. Retrieved from The Hacker News. https://thehackernews.com/2022/10/unofficial-patch-released-for-new.html
Vijayan, J. (2022, October 25). Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit. Retrieved from DarkReading. https://www.darkreading.com/attacks-breaches/windows-mark-of-the-web-zero-days-patchless-exploit