The vulnerability that allowed cybercriminals to bypass the Windows Mark of the Web (MotW) security mechanism has been unofficially fixed with a micropatching service 0 fix (opens in a new tab).
MoTW automatically flags all files and executables that have been downloaded from untrusted sources over the Internet, including packed archives.
Various patch versions are now available for Windows 10 v1803 and later, Windows 7 with or without Extended Security Updates (ESU), Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2008 R2 with or without ESU.
Mishandling of ZIP archives
MOTW, by flagging files and archives from untrusted sources, tells system administrators to exercise extreme caution by displaying messages warning them that running an untrusted file may compromise their system.
However, according to Hissing computer (opens in a new tab)Will Dormann, Senior Vulnerability Analyst at ANALYGENCE, discovered last summer that .zip archives were not properly adding the necessary MoTW tags, exposing many users to malware, ransomware, and a host of other problems.
In last thread on twitter (opens in a new tab)Dormann says he reported the issue to Microsoft in August 2022, and also claims the company opened and read the report, but has yet to install the fix (opens in a new tab) this.
Until then, users can go to 0patch, register an account, and install the agent themselves. After that, patches will be applied automatically when the agent starts and will not require a system restart.
Microsoft has neglected to patch the vulnerability, even though it has become a popular exploit for attackers since Dormann was revealed last summer.
It’s unclear at this time if the 0patch action will encourage Microsoft to take official action to protect more systems by releasing an official patch, although a bug report that has been ignored for over 90 days doesn’t bode well.
By: Hissing computer (opens in a new tab)