The vulnerability that allowed cybercriminals to bypass the Windows Mark of the Web (MotW) security mechanism has been unofficially fixed thanks to the micropatch service 0 amendment (opens in a new tab).
MoTW automatically flags all files and executables that have been downloaded from untrusted sources over the Internet, including compressed archives.
Different versions of the patch are now available for Windows 10 v1803 and above, Windows 7 with or without Extended Security Updates (ESU), Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2008 R2 with or without ESU.
Incorrect handling of ZIP archives
MOTW, by flagging files and archives from untrusted sources, tells system administrators to be extremely careful by displaying messages warning them that running an untrusted file may compromise the system.
However, according to Hissing computer (opens in a new tab)Will Dormann, senior vulnerability analyst at ANALYGENCE, discovered last summer that .zip archives were not properly adding the necessary MoTW tags, putting many users at risk from malware, ransomware, and countless other problems.
In last thread on Twitter (opens in a new tab)Dormann says he reported the issue to Microsoft in August 2022 and also says the company opened and read the report but has not yet patched it (opens in a new tab) this.
Until then, users can go to 0patch, register an account, and install the agent themselves. Then the fixes will be applied automatically as soon as the agent starts and will not require a system restart.
Microsoft did not patch this vulnerability, even though it became a popular bug exploit among attackers since Dormann’s release last summer.
At the moment, it is not clear whether the action of 0patch will encourage Microsoft to officially act to protect more systems by releasing an official patch, although ignoring the bug report for more than 90 days does not bode well.
By: Hissing computer (opens in a new tab)