Microsoft’s Mark of the Web (MOTW) is a security feature that prevents malicious files and attachments from being downloaded or opened. However, two independent vulnerabilities exist in various versions of Windows that allow attackers to bypass this protection. Will Dormann, a former software vulnerability analyst at CERT/CC, uncovered both vulnerabilities and claimed that attackers are actively exploiting them.

The researcher, who has been credited with identifying multiple zero-day vulnerabilities throughout his career, adds that Microsoft has not published any patches for them yet and that there are no known workarounds available for enterprises to defend themselves.
MotW Protection for Untrusted Files

A Windows feature called MotW shields users against files from unreliable sources. The tag is a secret tag that Windows adds to items obtained from the Internet. Files with the MotW tag are limited in what they can accomplish and how they run. Starting with Microsoft Office 2010, MotW-tagged files are automatically opened in Protected View, and Windows Defender performs a virus scan on all executable files before allowing them to execute.

Bug 1: MotW. Zip Bypass, With Unofficial Patch

On July 7th, Dormann informed Microsoft of the first of two MotW bypass concerns. In his opinion, files unzipped from maliciously crafted.ZIP archives are not subject to the MotW in Windows. Dorman claims it can prevent MOTW markings from being retrieved from any file saved in an a.ZIP library. An attacker can use this to their advantage by creating a file that acts in a way that makes it look like it wasn’t downloaded from the Internet. According to Dormann, this facilitates their ability to fool people into executing arbitrary code.

Dormann claims he cannot discuss the weakness in detail since doing so would show how attackers may take advantage of it. However, he claims that there is a problem with all Windows versions starting with XP. He speculates that Microsoft hasn’t responded because CERT disclosed the flaw using the Vulnerability Information and Coordination Environment (VINCE), a technology that Microsoft has refused to allow CERT to utilize.

Dormann claims that additional researchers have confirmed that malicious actors actively exploit the vulnerability. Ex-Microsoft threat intelligence analyst turned security researcher Kevin Beaumont is one of them. Earlier this month, Beaumont revealed that the flaw had been used in a series of tweets in the wild.

0patch and Acros Security CEO and co-founder Mitja Kolsek told Dark Reading he was able to verify the flaw Dormann disclosed to Microsoft in July. According to him, a code patch is the only way to solve the flaws in the code that conducts the unpacking of.ZIP files. Kolsek claims that while the problem isn’t tricky to exploit, a successful attack requires more than just the vulnerability. An attacker still needs to persuade a victim to open a file in a maliciously constructed application to exploit. ZIP archive – provided as an attachment through a phishing email or, for instance, copied from a USB stick or other portable storage device.

Bug 2: Sneaking Past MotW With Corrupt Authenticode Signatures

The other flaw is how faulty Authenticode digital signatures are dealt with when processing files containing MotW tags. Microsoft’s Authenticode is a code signature mechanism that verifies the integrity of software by verifying the identity of its publisher and the integrity of the signed code.

Dormann claims to have found that Windows will consider a file without a valid Authenticode signature as though it did; this flaw permits Windows to bypass SmartScreen and other warning dialogs and run a JavaScript file regardless of whether or not it has MotW. Windows don’t appear to launch when an error occurs while processing Authenticode data, and it no longer applies MotW protection to files signed by Authenticode, even if those files still have the MotW tag.

According to Dormann’s explanation, the issue manifests itself in all versions of Windows, beginning with Windows 10, including the Windows Server 2016 server edition. This flaw allows attackers to bypass MOTW security by using a tainted signature on any file that Authenticode, including.exe and JavaScript files, can sign.

Dormann claims to have discovered the problem after reading a post by HP Threat Research earlier this month, which discussed a Magniber ransomware operation aimed to exploit the flaw in question.