Bypass for Windows trusted file label gets unofficial patch

A vulnerability that allowed threat actors to bypass the Windows Mark of the Web (MotW) security mechanism has an unofficial fix thanks to micropatching service 0patch.

MoTW automatically flags all files and executables that were downloaded from untrusted sources via the internet, including zipped archives.

Various versions of the patch are now available for Windows 10 v1803 and later, Windows 7 with or without Extended Security Updates (ESU), Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2008 R2 with or without ESU.

Mishandling ZIP archives

MOTW, in flagging files and archives from untrusted sources, tells system admins to be extra careful,  displaying messages warning them that running an untrusted file could result in system compromization.

However, according to BleepingComputer, Will Dormann, a senior vulnerability analyst at ANALYGENCE, discovered last summer that .zip archives weren’t properly adding the necessary MoTW tags, placing many users at risk of malware, ransomware, and a myriad of other issues. 

In a recent Twitter thread, Dormann claims to have reported the issue to Microsoft in August 2022, an He also alleges that the company have opened and read the report, but is yet to patch it. 

Until that happens, users can head over to 0patch, register an account, and install the agent themselves. After that, the patches will be applied automatically as soon as the agent is started, and won’t require a system restart.

Microsoft has neglected to patch the vulnerability despite having becoming a popular bug exploit for attackers since Dormann’s disclosure last Summer. 

It’s not clear right now whether 0patch’s action will spur Microsoft into acting officially to protect more systems by pushing an official patch, although the bug report going ignored for over 90 days doesn’t bode well.

These are the best small business software out there

Via: BleepingComputer

Related posts

Leave a Comment