Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Microsoft Patches MotW Zero-Day Exploited for Malware Delivery

Microsoft’s latest Patch Tuesday updates address six zero-day vulnerabilities, including one related to the Mark-of-the-Web (MotW) security feature that has been exploited by cybercriminals to deliver malware.

Microsoft’s latest Patch Tuesday updates address six zero-day vulnerabilities, including one related to the Mark-of-the-Web (MotW) security feature that has been exploited by cybercriminals to deliver malware.

Windows adds the MotW to files coming from untrusted locations, including browser downloads and email attachments. When trying to open files with the MotW, users are warned about the potential risks or, in the case of Office, macros are blocked to prevent malicious code execution.

However, there are ways to bypass MotW defenses. Researcher Will Dormann has identified three different MotW bypass methods and informed Microsoft about them over the summer, but patches were only rolled out now, and only for two of the vulnerabilities. The techniques work against all or most versions of Windows.

One of the methods involves delivering the malicious file inside a ZIP archive. If the malicious file is extracted, it will have the MotW and the user gets a warning. However, if the file is executed directly from within the archive, Windows runs it without any warning. This issue is tracked as CVE-2022-41049 and it has been patched by Microsoft with its November Patch Tuesday updates.

Another MotW bypass method involves making the malicious file ‘read only’ and placing it inside a ZIP archive. When the file is extracted, Windows attempts to set the MotW, but fails, which means the file will be executed by Windows without any warning.

This vulnerability is tracked as CVE-2022-41091 and it has been fixed by Microsoft on Tuesday. This is the method that Microsoft has confirmed as being exploited in the wild.

“An attacker can craft a malicious file that would evade MotW defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MotW tagging,” Microsoft said in its advisory, noting that exploitation of the vulnerability requires user interaction.

HP security researchers recently analyzed a Magniber ransomware campaign that had used the technique to deliver the malware.

Advertisement. Scroll to continue reading.

Rich Warren of the NCC Group, who has also been looking into this issue, has also seen some attacks, saying in mid-October that he had seen malicious samples going back at least 10 months. Warren has also made available some Yara rules to help detect ZIP files that attempt to exploit the vulnerability. 

After patches were released, Microsoft’s Bill Demirkapi clarified that the company has been working on patching the actively exploited vulnerability since July. The company learned about the issue from multiple researchers.

“This is only the beginning — changes take time,” Demirkapi explained. “There are still variants and other MotW issues that we recently became aware of. Although MotW bypasses do not typically meet MSRC’s bar for servicing, we can make exceptions for issues that are exploited in-the-wild.”

The MotW bypass vulnerability that remains unpatched is related to corrupt Authenticode. If a file has a malformed Authenticode signature, the warning dialog is not displayed.

Cybersecurity firm proofpoint reporter in July that threat actors had been bypassing MotW by delivering Office documents inside container file formats such as IMG, ISO, RAR and ZIP. 

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

Related: Microsoft Patches Vulnerability Allowing Full Access to Azure Service Fabric Clusters

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...