Skip links

Microsoft fixes MoTW zero-day used to drop malware via ISO files



Windows has fixed a bug that prevented Mark of the Web flags from propagating to files within downloaded ISO files, dealing a massive blow to malware distributors and developers.

For those unfamiliar with Mark of the Web (MoTW), it is a Windows security feature that flags files originating from the Internet so that they are tagged as suspicious by the operating system and installed applications.

The MoTW flag is added to files as an alternate data stream called ‘Zone.Identifier,’ which includes what URL security zone the file is from, the referrer, and the URL to the file.

Alternate Data Streams are an NTFS file attribute that can be viewed using a specialized tool or the ‘dir /R’ command in the Command Prompt and opened directly in Notepad, as shown below. 

A Mark-of-the-Web alternate data stream
Source: BleepingComputer

When attempting to open a file with a Mark of the Web flag, Windows will display a security warning that the file should be treated with caution.

“While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software,” reads the warning from Windows.

Windows security warning when opening files with MoTW flags
Source: BleepingComputer

Microsoft Office also uses the MoTW flag to determine if the file should be opened in Protected View, causing a warning to be displayed and for macros to be disabled.

Microsoft Office Protected View
Source: BleepingComputer

Microsoft fixes Mark of the Web in ISOs

As part of the November Patch Tuesday updates, Microsoft fixed numerous vulnerabilities that allowed threat actors to craft files that can bypass the Mark of the Web security feature.

Included in the updates was an unexpected fix for a bug that threat actors commonly abuse in phishing campaigns.

According to Bill Demirkapi, an engineer in Microsoft MSRC’s Vulnerability and Mitigations team, a bug was fixed that prevented the MoTW flag from propagating to files inside an ISO disk image.

For some time, threat actors have been distributing ISO disk images as attachments in phishing campaigns to infect targets with malware.

Since Windows 8, it is possible to open an ISO file by double-clicking on it, causing Windows to mount it as a DVD drive under a new drive letter.

While a downloaded or attached ISO file will contain the Mark of the Web and issue a warning when opened, the bug caused the MoTW flag not to be propagated to non-Microsoft Office file types, such as Windows Shortcuts (LNK files).

Therefore, if a user opens an ISO attachment and double-clicks the enclosed LNK file, it will run automatically without Windows displaying a security warning, as demonstrated below.

Demonstration of LNK files in ISO images bypassing MoTW warnings
Source: BleepingComputer

After installing the November Patch Tuesday security updates for CVE-2022-41091, Windows will now propagate the Mark of the Web flag from the ISO file to all of its contents and properly display a security warning when launching the LNK file.

Mark of the Web propagated to files inside an ISO
Source: BleepingComputer

Two other MoTW bugs fixed

In addition to fixing ISO MoTW propagation, the November updates also fixed two MoTW bugs discovered and reported by Will Dormann, a senior vulnerability analyst at ANALYGENCE, with one actively exploited in the wild by threat actors.

The first bug causes Windows SmartScreen to fail on Windows 11 22H2 and bypass Mark of the Web warnings when opening files directly from ZIP archives.

Let’s take the corrupt-authenticode bug out of the picture. I can’t tell how Windows decides how to scan/prompt downloads.
In a VM with no network (so we clearly see the SS warning), we have calc.exe from XP in a zip:
Extract first: SmartScreen Warning.
Run from Zip: Just run!

— Will Dormann (@wdormann) October 31, 2022

The second bug, dubbed ‘ZippyReads,’ can be exploited simply by creating a ZIP file containing a read-only file. When this archive is opened in Windows Explorer, the MoTW flag will not be propagated to the read-only file and bypasses security warnings.

Both of these vulnerabilities were fixed as part of the November Windows security updates for CVE-2022-41049.

However, another bug Dormann found remains unfixed, allowing stand-alone JavaScript files to bypass the MoTW warnings and automatically execute the script if the file is signed using a malformed signature.

As threat actors distributing the Magniber ransomware are actively exploiting this bug, we will likely see a fix coming soon.

Adblock test (Why?)