A cybersecurity company has issued another unofficial patch to squash a bug in Windows that Microsoft has yet to address, with this hole being actively exploited to spread ransomware.
Rewind to October 17th and Acros Security released a small binary patch to fix a bug in Microsoft’s Mark-of-the-Web (MotW) feature. This feature is intended to set a flag in the metadata of files obtained from the Internet, USB sticks, and other untrusted sources. This flag ensures that extra security protections kick in when these files are opened, such as Office blocking macros from running or the operating system checking that the user really wanted to run that .exe file.
It turns out that it is possible to bypass this feature and have files downloaded from the web not carry the MotW flag, bypassing all of these protections when opened. Specifically, an attacker could prevent Windows from placing the MotW flag on files extracted from a ZIP archive obtained from an untrusted source. This can be exploited by bad guys to trick brands into opening ZIP archives and running malware without resolving the expected security protection. The error was highlighted months ago by Will Dormann, Senior Vulnerability Analyst at Analygence.
Microsoft has yet to address this oversight. IT watchdog Kevin Beaumont on October 10 said the failure was now ongoing is utilized in the wild. Acros put out a micropatch about a week later that can be applied to close this hole while you wait for Redmond to catch up.
Now, Acros has sent out another patch that addresses a related MotW security hole in Windows that Microsoft, again, has yet to address.
What is new?
Just days before the first patch was released, HP Wolf Security shared a report about a slew of ransomware infections in September that each started with a web download. Victims were prompted to download a ZIP archive containing a JavaScript file masquerading as an antivirus or Windows software update.
The script, when executed, actually distributed Magniber, a ransomware strain targeting Windows home users. It falsifies documents and can extort as much as $2,500 from victims to restore their data, according to Wolf Security.
“Although Magniber does not fall into the category of big game hunting, it can still cause significant damage,” the Wolf team wrote in their report, where big game hunting refers to crooks who specifically infect large, wealthy companies in hopes of a big payday. . “Home users were the likely target of this malware based on the supported operating system versions and UAC bypass.”
Crucially, HP malware analyst Patrick Schlapfer noted that the malicious JavaScript in the Magniber ZIP archive did carries the MotW flag but still executes without a SmartScreen warning appearing to either stop the requested action or warn the user not to proceed, as you would expect for an Internet-downloaded archive. Mitja Kolsek, CEO of Acros, confirmed that SmartScreen was bypassed by the Magniber script.
Microsoft’s SmartScreen is supposed to block obvious malicious files or warn users if a file looks suspicious, among other things, but the Magniber ZIP archive’s contents were able to completely sidestep that process. That is: there is a bug in Windows that has been exploited so that the MotW flag is not applied to Internet-based files, and now there is exploitation of a related vulnerability where MotW is set but it has no effect.
“Remember that on Windows 10 and Windows 11, opening any potentially malicious file triggers a SmartScreen inspection of the file, where SmartScreen determines whether the file is ready to run or whether to warn the user about it,” Kolsek said.
And it turns out that the script file in the Magniber ZIP bypasses SmartScreen due to a broken Authenticode digital signature. This signature confuses Windows so that the script is only allowed to run even if its MotW flag is set.
Analysis Dormann tweeted on October 18 in response to Schlapfer that “if the file has this incorrect Authenticode signature, the SmartScreen warning dialog and/or file opening will be skipped regardless of script content, as if there is no MotW on the file.”
Microsoft’s Authenticode is a digital code signing technology that identifies the publisher and verifies that the software has not been tampered with after it is signed and released. Dormann found that the script file signature was flawed to the point that Windows “couldn’t even parse them properly. This led, for some reason, to Windows trusting them – and allowing malicious executables to run without warning,” Koslek wrote.
Further inspection by Acros Security found that the error occurred because SmartScreen, when trying to analyze the incorrect signature, returned an error, causing the operating system to run the program and infect the machine without triggering a warning.
Acro’s latest micropatch, released on October 28, works for Windows 11 version 21H2, eight versions of Windows 10 including 21H1 and 21H2, and Windows Server versions 2019 and 2022, we’re told.
A Microsoft spokesperson told us about this latest vulnerability: “We are aware of the technology and are investigating to determine the appropriate steps to address the issue.” ®
#Unofficial #fix #appears #Windows #bug #exploited #wild