Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches MotW Zero-Day Exploited for Malware Delivery

Microsoft’s latest Patch Tuesday updates address six zero-day vulnerabilities, including one related to the Mark-of-the-Web (MotW) security feature that has been exploited by cybercriminals to deliver malware.

Microsoft’s latest Patch Tuesday updates address six zero-day vulnerabilities, including one related to the Mark-of-the-Web (MotW) security feature that has been exploited by cybercriminals to deliver malware.

Windows adds the MotW to files coming from untrusted locations, including browser downloads and email attachments. When trying to open files with the MotW, users are warned about the potential risks or, in the case of Office, macros are blocked to prevent malicious code execution.

However, there are ways to bypass MotW defenses. Researcher Will Dormann has identified three different MotW bypass methods and informed Microsoft about them over the summer, but patches were only rolled out now, and only for two of the vulnerabilities. The techniques work against all or most versions of Windows.

One of the methods involves delivering the malicious file inside a ZIP archive. If the malicious file is extracted, it will have the MotW and the user gets a warning. However, if the file is executed directly from within the archive, Windows runs it without any warning. This issue is tracked as CVE-2022-41049 and it has been patched by Microsoft with its November Patch Tuesday updates.

Another MotW bypass method involves making the malicious file ‘read only’ and placing it inside a ZIP archive. When the file is extracted, Windows attempts to set the MotW, but fails, which means the file will be executed by Windows without any warning.

This vulnerability is tracked as CVE-2022-41091 and it has been fixed by Microsoft on Tuesday. This is the method that Microsoft has confirmed as being exploited in the wild.

“An attacker can craft a malicious file that would evade MotW defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MotW tagging,” Microsoft said in its advisory, noting that exploitation of the vulnerability requires user interaction.

HP security researchers recently analyzed a Magniber ransomware campaign that had used the technique to deliver the malware.

Rich Warren of the NCC Group, who has also been looking into this issue, has also seen some attacks, saying in mid-October that he had seen malicious samples going back at least 10 months. Warren has also made available some Yara rules to help detect ZIP files that attempt to exploit the vulnerability. 

After patches were released, Microsoft’s Bill Demirkapi clarified that the company has been working on patching the actively exploited vulnerability since July. The company learned about the issue from multiple researchers.

“This is only the beginning — changes take time,” Demirkapi explained. “There are still variants and other MotW issues that we recently became aware of. Although MotW bypasses do not typically meet MSRC’s bar for servicing, we can make exceptions for issues that are exploited in-the-wild.”

The MotW bypass vulnerability that remains unpatched is related to corrupt Authenticode. If a file has a malformed Authenticode signature, the warning dialog is not displayed.

Cybersecurity firm proofpoint reporter in July that threat actors had been bypassing MotW by delivering Office documents inside container file formats such as IMG, ISO, RAR and ZIP. 

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

Related: Microsoft Patches Vulnerability Allowing Full Access to Azure Service Fabric Clusters

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.