Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit
Two separate vulnerabilities exist in different versions of Windows that allow attackers to sneak malicious attachments and files past Microsoft’s Mark of the Web (MoTW) security feature.
Attackers are actively exploiting both issues, according to Will Dormann, a former software vulnerability analyst with CERT Coordination Center (CERT/CC) at Carnegie Mellon University, who discovered the two bugs. But so far, Microsoft has not issued any fixes for them, and no known workarounds are available for organizations to protect themselves, says the researcher, who has been credited with discovering numerous zero-day vulnerabilities over his career.
MotW is a Windows feature designed to protect users against files from untrusted sources. The mark itself is a hidden tag that Windows attaches to files downloaded from the Internet. Files that carry the MotW tag are restricted in what they do and how they function. For example, starting with MS Office 10, MotW-tagged files open by default in Protected View, and executables are first vetted for security issues by Windows Defender before they are allowed to run.
“Many Windows security features — [such as] Microsoft Office Protected view, SmartScreen, Smart App Control, [and] warning dialogs — rely on the presence of the MotW to function,” Dormann, who is presently a senior vulnerability analyst at Analygence, tells Dark Reading.
Dormann reported the first of the two MotW bypass issues to Microsoft on July 7. According to him, Windows fails to apply the MotW to files extracted from specifically crafted .ZIP files.
“Any file contained within a .ZIP can be configured in a way so that when it’s extracted, it will not contain MOTW markings,” Dorman says. “This allows an attacker to have a file that will operate in a way that makes it appear that it did not come from the Internet.” This makes it easier for them to trick users into running arbitrary code on their systems, Dormann notes.
Dormann says he cannot share details of the bug, because that would give away how attackers could leverage the flaw. But he says it affects all versions of Windows from XP on. He says one reason he has not heard from Microsoft likely is because the vulnerability was reported to them via CERT’s Vulnerability Information and Coordination Environment (VINCE), a platform that he says Microsoft has refused to use.
“I haven’t worked at CERT since late July, so I cannot say if Microsoft has attempted to contact CERT in any way from July on,” he cautions.
Dormann says other security researchers have reported seeing attackers actively exploiting the flaw. One of them is security researcher Kevin Beaumont, a former threat intelligence analyst at Microsoft. In a tweet thread earlier this month, Beaumont reported the flaw as being exploited in the wild.
“This is without a doubt the dumbest zero day I’ve worked on,” Beaumont said.
In a separate tweet a day later, Beaumont said he wanted to release detection guidance for the issue but was concerned about the potential fallout.
“If Emotet/Qakbot/etc find it they will 100% use it at scale,” he warned.
In an emailed comment a Microsoft spokeswoman said the company is “aware of the technique and are investigating to determine the appropriate steps to address the issue.” The statement did not say which of the two MoTW related issues Microsoft is investigating or might be planning to address. Meanwhile, Slovenia-based security firm Acros Security last week released an unofficial patch for this first vulnerability via its 0patch patching platform.
In comments to Dark Reading, Mitja Kolsek, CEO and co-founder of 0patch and Acros Security, says he was able to confirm the vulnerability that Dormann reported to Microsoft in July.
“Yes, it is ridiculously obvious once you know it. That’s why we didn’t want to reveal any details,” he says. He says the code performing the unzipping of .ZIP files is flawed and only a code patch can fix that. “There are no workarounds,” Kolsek says.
Kolsek says the issue is not difficult to exploit, but he adds the vulnerability alone is not enough for a successful attack. To exploit successfully, an attacker would still need to convince a user into opening a file in a maliciously crafted .ZIP archive — sent as an attachment via a phishing email or copied from a removable drive such as a USB stick for instance.
“Normally, all files extracted from a .ZIP archive that is marked with MotW would also get this mark and would therefore trigger a security warning when opened or launched,” he says, but the vulnerability definitely allows attackers a way to bypass the protection. “We are not aware of any mitigating circumstances,” he adds.
Kolsek noted that his firm has a patch candidate ready for the second issue as well and should release it by Friday.
This second vulnerability involves the handling of MotW tagged files that have corrupt Authenticode digital signatures. Authenticode is a Microsoft code-signing technology that authenticates the identity of the publisher of a particular piece of software and determines whether the software was tampered with after it was published.
“Windows appears to ‘fail open’ when it encounters an error [when] processing Authenticode data,” Dormann says, and “it will no longer apply MotW protections to Authenticode-signed files, despite them actually still retaining the MotW.”
Dormann says he learned of the issue after reading an HP Threat Research blog from earlier this month about a Magniber ransomware campaign involving an exploit for the flaw.
It’s unclear if Microsoft is taking action, but for now, researchers continue to raise the alarm. “I have not received an official response from Microsoft, but at the same time, I have not officially reported the issue to Microsoft, as I’m no longer a CERT employee,” Dormann says. “I announced it publicly via Twitter, due to the vulnerability being used by attackers in the wild.”
Copyright © 2022 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.