Windows MoTW Zero-Day gets unofficial patch

Windows MoTW Zero-Day gets unofficial patch
Comparitech disclosed that over 8,000 zero-day vulnerabilities were published as of now in Q1 of 2022. A zero-day (or 0-day) attack is a software vulnerability exploited by attackers before it comes into a vendor’s knowledge. The uncertainty of being ambushed by zero-day attacks keeps software vendors and independent security researchers on the edge who are on a constant lookout for an overlooked vulnerability. On the discovery of such a security flaw the vendors quickly issue a code fix also known as ‘patch’ inorder to place a defense mechanism in place safeguarding the vulnerable system. Users of the software install the patch to protect themselves from security holes that allow attackers to gain unauthorized access to, damage or compromise a system.
The report published by bleepingcomputer delineates the disclosure of a free unofficial patch for fixing an actively exploited zero-day vulnerability for Windows 10 and Windows 11 that Microsoft has yet to fix. The vulnerability patch released by the cybersecurity company overhauls the Windows’ bug that permits files signed with erroneous signatures to avoid Mark-of-the-Web (MoTW) security warnings. Bleepingcomputer brought into spotlight earlier that the threat actors used standalone JavaScript files to install the Magniber ransomware and proliferated the victims’ devices with fake security updates. While files downloaded from the internet in Windows are tagged with a MotW flag to prevent unauthorized actions, it has since been found that the corrupt Magniber JavaScript files even contained a Mark-of-a-Web flag yet the Windows was unable to display any security warnings when they were launched. After analysis the senior vulnerability analyst at Analygence, Will Dorman, established that the Magniber JavaScript files were digitally signed using a malformed signature to exploit the vulnerability.
It eventually transpired that it is possible to bypass the MotW flag, thus side-stepping all those protections when opened. Specifically, an attacker could prevent Windows from putting the MotW flag on files extracted from a ZIP archive obtained from an untrusted source. This can be exploited by miscreants to cause users to open ZIP archives and execute malicious software without triggering the expected security precautions.
Since this zero-day vulnerability is actively used for ransomware attacks, the micro-patching service 0patch has decided to issue an unofficial fix that can be used until Microsoft disseminates an official security update. The 0patch blog post, co-founder Mitja Kolsek explains that the zero-day bug is the result of SmartScreen returning an exception when parsing the malformed signature, which is incorrectly interpreted as a decision to run the program rather than trigger a warning.
Microsoft told BleepingComputer that they are aware of the issue and are investigating it to determine the appropriate steps of remediation. While Microsoft is working on the patch development the fact that the vulnerability is now known enhances the potential for further attacks. It is urged for both the users and administrators to apply the vulnerability patch while awaiting an official patch from Microsoft.

Share This On Your Favorite Social Media!