Microsoft’s Mark of the Web (MoTW) security feature may be bypassed by malicious attachments and files due to two distinct flaws that are present in various versions of Windows. As per Will Dormann, a senior software vulnerability researcher with the CERT/CC who found the two weaknesses, attackers are actively exploiting both of the flaws. According to the researcher, however, there are also no known workarounds that companies may use to defend themselves from the vulnerability.
What exactly is a zero-day vulnerability in Microsoft?
The elevation-of-privilege vulnerability (CVE-2022-41033) in the Windows COM+ Event System service is categorized as important. This vulnerability is also known as the Windows zero-day. This flaw does not call for any action by the user, and a successful exploit of the vulnerability grants the attacker elevated rights inside the system.
A newly discovered zero-day vulnerability in Windows makes it possible for threat actors to circumvent Mark-of-the-Web security alerts by using malicious stand-alone JavaScript files. It has already been seen that threat actors are using the zero-day issue in ransomware assaults. Windows has a security feature known as Mark-of-the-Web (MoTW), which identifies a file as having been obtained from the Internet and, as a result, suggests that the user exercise extreme care around the file since it may contain harmful code.
The MoTW flag is appended to a downloaded file or an email attachment in the form of a unique Alternate Data Stream that is referred to as ‘Zone.Identifier.’ This data stream may be seen by using the ‘dir /R’ command or accessed directly in Notepad.
The mark is a covert tag that Windows appends to files that are downloaded from the internet. The capabilities and behaviors of files that have the MotW tag attached to them are severely limited. For instance, beginning with Microsoft Office 10, MotW-tagged files open automatically in Protected View, and before being allowed to execute, executables must first be screened by Windows Defender for any vulnerabilities before they can be launched.
The existence of the MotW is necessary for the operation of much of the security features available in Windows, such as Protected View, Smart App Control, SmartScreen and warning dialogs.
Bug 1: Bypass for the MotW.ZIP File, using an Unofficial Patch:
According to Dorman, any file that is stored inside a .ZIP may be designed in such a manner that when it is extracted, it will not carry MOTW indications. As a result of this, a hacker can get a file that will behave in a manner that gives the impression that it was not obtained from the internet. Because of this, it is now much simpler for them to manipulate consumers into installing and executing arbitrary programs on their computers. In case you are worried about security warnings, then use VPN router with dedicated IP to ensure your secure connection first.
But he is unable to discuss the specifics of the problem since doing so would reveal how potential adversaries may exploit the vulnerability. On the other hand, he asserts that the flaw is present in all editions of Windows beginning with XP and continuing forward. According to him, this is one of the reasons why Microsoft has not been in touch with him.
Bug 2: Authenticode Signatures Can Be Corrupted and Used to Get Around MotW:
The processing of MotW-tagged files that contain tainted Authenticode digital signatures is the subject of the second vulnerability. Microsoft’s Authenticode is a code-signing technology that verifies the identity of the software’s publisher and determines whether or not the software was changed after it was initially distributed. Authenticode also checks to see if the software was altered after it was initially distributed.
According to Dormann, Windows would handle a file as if it had no MotW if it had a tainted Authenticode signature attached to it. Because of the vulnerability, Windows will bypass SmartScreen and any other warning dialogs before running a JavaScript file.
When Windows runs into a problem in processing Authenticode data, the operating system gives the impression that it has -failed open, and it will no longer apply MotW protections to Authenticode-signed files, although these files have not lost their MotW.
The problem manifests itself in all editions of Windows starting with version 10 and continuing, including the server edition of Windows Server 2016. Because of the vulnerability, attackers can sign any file that can be signed by Authenticode in a malformed manner, including JavaScript scripts and.exe files, for example.
Where do we stand with the solution?
Will Dorman find out that threat actors had entered JavaScript files using a key that was corrupted. Because of the corrupted key, Microsoft did not show security warning, which resulted in the automated script to install ransomware. By using this method, threat actors can circumvent typical security alerts. Dorman thinks that the security vulnerability existed even before introducing Windows 10.
It is disturbing that threat actors have already used this Mark-of-the-web vulnerability in attacks. This makes the issue more difficult to manage. Microsoft has acknowledged that they know existing issues and have showed that they are doing research into it. Meanwhile, there is a micro-patch available for the vulnerability that was published by third-party firm known as 0patch. This patch is not official. Windows 10 versions 1803 and recent ones, Windows 7, Windows Server 2022, 2019, 2016, 2012- 2012- R2, and Windows Server 2008 R2 are all supported by the patch.
Microsoft patches a large number of vulnerabilities known as zero days:
Users of Windows increasingly may expect to get unfavorable information as actively exploited zero-day vulnerabilities whenever Microsoft releases its Patch Tuesday security update. This is becoming the norm rather than the exception. The availability of fixes is also a welcome piece of news, of course. With no less than four new Windows zero-day attacks and verified patches, the November update does not disappoint in any aspect.
This week’s Patch Tuesday, which takes place on November 2022, includes solutions for many vulnerabilities that are being actively exploited in the field, one of which is CVE-2022-41091, a Windows Mark of the Web bypass vulnerability.
Fixes that should take priority include CVE-2022-41091, a zero-day vulnerability in Windows that enables attackers to sidestep the protection provided by the Mark of the Web (MOTW) security feature. They can create a malicious file that exploits the vulnerability and distribute it either via a website that has been hacked or infected themselves, through email or instant messaging.
An adversary has no means, under any circumstances, of interesting a user to consume the material that is controlled by the adversary. Instead, it would be necessary for an attacker to persuade a user to do some action. An adversary, for instance, could convince a user to download a malicious file or click on a link that takes the user to the adversary’s website to get access to the user’s computer.
What are the four new zero-day vulnerabilities in Windows?
An elevation of privilege vulnerability known as CVE-2022-41073 exists in the Windows print spooler and might allow an attacker to get system rights if they successfully exploit it. This vulnerability is now being aggressively exploited, and it affects almost every version of Windows and Windows Server.
CVE-2022-41125 is a flaw in the way Windows handles the separation of Cryptographic Next Generation keys. This flaw, like the previous ones, may cause privilege escalation and ultimately allow system control. Users of Windows 8.1, 10, and 11 as well as users of Server 2012, 2016, 2019, and 2022 should upgrade as soon as possible since this affects fewer versions of Windows and Windows Server than usual; users of these versions should still update.
The vulnerability known as CVE-2022-41128 affects the Windows scripting language and allows for the execution of remote code. It would be necessary for the user to engage with the exploit by going to a malicious server. The vulnerability affects almost every edition of Windows and Windows Server.
Windows users may be susceptible to the vulnerability known as CVE-2022-41091, which is a “mark of the online security bypass.” Microsoft advises that an attacker may host a malicious website, email or instant message that was maliciously designed, or upload harmful material to a website that was hacked by a user provider. It has been shown that a malicious ZIP file may execute this vulnerability. If this is effective, it may be possible to deactivate features, such as the protected view in Microsoft Office. Users that use Windows 10 and 11, as well as Server 2019 and 2022, are affected.
What should you do to secure your PC?
Keep your operating system, applications, and browser all up to date.
Always ensure that your operating systems have the most recent updates installed. The vast majority of updates contain security patches that stop hackers from obtaining your data and using it to their advantage. The same is true for app development. Web browsers of today are becoming smarter, particularly concerning users’ privacy and safety online. Besides installing all the latest updates, you should also carefully examine the browser security settings. For instance, you may use your browser to prohibit websites from monitoring your movements, which contributes to an improvement in the level of privacy you enjoy when using the internet. Alternatively, you might make use of one of these anonymous web browsers.
Protect your network from harm.
Routers rarely come configured with the greatest possible levels of security when first purchased. Log in to the router while you are setting up your network, and use a safe, encrypted setup to create a password for the router. This stops unauthorized users from accessing your network and tampering with the settings they have chosen.
