Unofficial Patch Released for New Actively Exploited Windows MotW Vulnerability

An unofficial patch has been made available for an actively exploited security flaw in Microsoft Windows

The newly released patch makes it possible for files signed with malformed signatures to sneak past Mark-of-the-Web (MotW) protections. A week ago,d HP Wolf Security disclosed a Magniber ransomware campaign that targets users with fake security updates which employ a JavaScript file to proliferate the file-encrypting malware. After the disclosure of Magniber was done,the fix was released by 0patch.

While files downloaded from the internet in Windows are tagged with a MotW flag to prevent unauthorized actions, it has since been found that corrupt Authenticode signatures can be used to allow the execution of arbitrary executables without any SmartScreen warning.

Authenticode is a Microsoft code-signing technology that authenticates the identity of the publisher of a particular piece of software and verifies whether the software was tampered with after it was signed and published.

“The [JavaScript] file actually has the MotW but still executes without a warning when opened,” HP Wolf Security researcher Patrick Schläpfer noted.

unofficial patch
iMAGE SOURCE- BLEEPING COMPUTER

“The [JavaScript] file actually has the MotW but still executes without a warning when opened,” HP Wolf Security researcher Patrick Schläpfer noted.”If the file has this malformed Authenticode signature, the SmartScreen and/or file-open warning dialog will be skipped,” security researcher Will Dormann explained.

Now according to 0patch co-founder Mitja Kolsek, the zero-day bug is the result of SmartScreen returning an exception when parsing the malformed signature, which is incorrectly interpreted as a decision to run the program rather than trigger a warning.

“Attackers therefore understandably prefer their malicious files not being marked with MOTW; this vulnerability allows them to create a ZIP archive such that extracted malicious files will not be marked,” Kolsek said.

Related Articles

Responses

Your email address will not be published. Required fields are marked *