Actively exploited Windows MoTW zero-day gets unofficial patch

Home/Exploitation, Internet Security, IOC's, malicious cyber actors, Microsoft, Security Advisory, Security Update, windows/Actively exploited Windows MoTW zero-day gets unofficial patch

Actively exploited Windows MoTW zero-day gets unofficial patch

A free unofficial patch is available for a Mark-of-the-web (MoTW) security vulnerability impacting Windows 10 and 11, Bleeping Computer reports.

The actively exploited zero-day flaw lets files signed with malformed signatures bypass MoTW security warnings on the operating systems.

MotW Zero-day

MotW is a Windows feature designed to protect users against files from untrusted sources.

When accessed, the downloaded JS files would automatically execute the script. Will Dormann, a senior vulnerability analyst, believes that the bug was first introduced with the release of Windows 10 and it stems from the OS’s new “Check apps and files” SmartScreen, as a fully patched Windows 8.1 device would display the MoTW security warning.

According to Dormann,”Any file contained within a .ZIP can be configured in a way so that when it’s extracted, it will not contain MOTW markings,” Dorman says. “This allows an attacker to have a file that will operate in a way that makes it appear that it did not come from the Internet.” This makes it easier for them to trick users into running arbitrary code on their systems.

Later the second vulnerability involves the handling of MotW tagged files that have corrupt Authenticode digital signatures. Authenticode is a Microsoft code-signing technology that authenticates the identity of the publisher of a particular piece of software and determines whether the software was tampered with after it was published.

Dormann says he discovered that if a file has a malformed Authenticode signature, it will be treated by Windows as if it had no MotW; the vulnerability causes Windows to skip SmartScreen and other warning dialogs before executing a JavaScript file.

Dormann reported that threat actors can modify any Authenticode-signed file to bypass security systems, which is concerning. Microsoft declared that they are aware of the issue and are working on remediating it.

Until Microsoft releases official updates to address the flaw, 0patch has developed free patches for the following affected Windows versions:

  1. Windows 11 v21H2
  2. Windows 10 v21H2
  3. Windows 10 v21H1
  4. Windows 10 v20H2
  5. Windows 10 v2004
  6. Windows 10 v1909
  7. Windows 10 v1903
  8. Windows 10 v1809
  9. Windows 10 v1803
  10. Windows Server 2022
  11. Windows Server 2019 

To install the micropatch on your Windows device, you will need to register a free 0patch account and install its agent.

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!