A cybersecurity company has released another unofficial patch to squash a Windows bug that Microsoft has not yet fixed, as this vulnerability is actively exploited to spread ransomware.

Back to October 17, Acros Security released a small binary patch to address a bug in Microsoft’s Mark-of-the-Web (MotW) feature. This feature is supposed to set a flag in the metadata of files obtained from the Internet, USB stick, and other untrusted sources. This flag ensures that when these files are opened, additional security protection measures are initiated, such as Office blocking macros from running or verifying that the user really wants to run the exe.

It turns out that it is possible to bypass this feature, make files downloaded from the web not be marked with MotW, thus bypassing all that protection when you open them. Specifically, an attacker could prevent Windows from MotW flagging files extracted from a ZIP archive obtained from an untrusted source. This can be exploited by miscreants to lure tags to open zip archives and run malware inside without bogging down expected security safeguards. Error highlighted months ago Written by Will Dorman, Senior Vulnerability Analyst at Analytics.

Microsoft has yet to fix this bug. IT Superintendent Kevin Beaumont said on October 10 that the bug now exists exploited in the wild. Acros put in a micropatch about a week later that can be applied to close that hole while waiting for Redmond to catch up.

Acros has now released another patch that addresses a related MotW security gap in Windows that Microsoft has yet to fix again.

what’s new?

Just days before the first patch was released, HP Wolf Security shared a report about a wave of ransomware infections in September that each started with web downloads. Victims were asked to bring a zip archive containing a JavaScript file masquerading as an antivirus or Windows software update.

When the script ran, it actually deployed Magniber, a series of ransomware aimed at home Windows users. It obfuscates documents and can extort up to $2,500 from victims to get their data back, according to Wolf Security.

“Although Magniber does not fall into the category of Big Game Hunting, it can still cause significant damage,” Team Wolf wrote in their report, with Big Game Hunting referring to fraudsters specifically infecting large, wealthy companies in the hopes of obtaining On great salaries. . “Home users were the likely target of this malware based on supported OS versions and UAC bypass.”

Crucially, HP Malware Analyst Patrick Schlapfer pointed That malicious JavaScript in the Magniber ZIP archive she did Load the MotW flag but it still runs without the SmartScreen alert appearing either to stop the requested action or to warn the user to continue, as you’d expect for an archive fetched online. Mitja Kolsek, CEO of Acros, confirmed that SmartScreen was bypassed by Magniber script.

Microsoft’s SmartScreen is supposed to, among other things, block obvious malicious files or warn users if a file looks suspicious, but the contents of the Magniber ZIP archive managed to take a side step in the process entirely. This means: There is a bug in Windows that has been exploited so that the MotW flag is not applied to files obtained from the Internet, and now there is an exploit of a related vulnerability where MotW is set but has no effect.

“Remember that on Windows 10 and Windows 11, opening any potentially malicious file will start a SmartScreen scan for the said file, with SmartScreen determining whether the file is clear to start or the user should be warned about,” Kolsek said.

And it turns out that the script file in Magniber ZIP bypasses SmartScreen due to broken digital authentication token signing. This signature confuses Windows so that only the script is allowed to run even though its MotW flag is set.

Dorman in Analytics chirp On October 18 in response to Schlapfer that “If a file contains this incorrect auth signature, the SmartScreen and/or file open warning dialog will be skipped regardless of the script’s contents, as if there is no MotW in the file.”

Microsoft Authentication Token is a digital code signing technology that identifies the publisher and verifies that the software has not been tampered with after it has been signed and released. Dormann found that the script’s file signature was so garbled that Windows “couldn’t even parse it properly. This, for some strange reason, led to Windows trusting them—and allowing malicious executables to execute without warning,” Koslek wrote.

Additional scans by Acros Security found that the flaw occurred because SmartScreen, when trying to analyze the malformed signature, returned an error, causing the operating system to launch the program and infect the device without triggering a warning.

The latest version of Acros, released on October 28, works with Windows 11 version 21H2, eight versions of Windows 10 including 21H1 and 21H2, and Windows Server versions 2019 and 2022, we’re told.

A Microsoft spokesperson told us about this latest vulnerability: “We are aware of this technology and are investigating to identify appropriate steps to address the issue.” ®

Leave a Reply