A cybersecurity company has released another unofficial patch to fix a bug in Windows that Microsoft has yet to fix, with this vulnerability being actively exploited to spread ransomware.
Back to October 17th, Acros Security released a small binary patch to fix a bug in Microsoft’s Mark-of-the-Web (MotW) feature. This feature is intended to set a flag in the metadata for files coming from the internet, USB sticks and other untrusted sources. This flag ensures that additional security measures are in place when these files are opened, e.g. B. Office blocks the execution of macros or the operating system checks whether the user really wanted to run this EXE file.
It turns out that it is possible to bypass this feature and not flag files downloaded from the Internet with the MotW flag, bypassing all these protections when opened. In particular, an attacker could prevent Windows from setting the MotW flag on files extracted from a ZIP archive obtained from an untrusted source. This can be exploited by criminals to trick tags into opening ZIP archives and running malicious software inside without triggering expected security protections. The error has been highlighted months ago by Will Dormann, Senior Vulnerability Analyst at Analygence.
Microsoft has yet to fix this oversight. IT observer Kevin Beaumont said on October 10 that the bug is now fixed exploited in the wilderness. Acros released a micropatch about a week later that can be applied to plug that hole while you wait for Redmond to catch up.
Acros has now released another patch that addresses a related MotW vulnerability in Windows, which Microsoft has not yet fixed.
When executed, the script actually deploys Magniber, a ransomware variant that targets Windows home users. It encrypts documents and, according to Wolf Security, can extort up to $2,500 from victims to recover their data.
“While Magniber doesn’t fall into the big game hunting category, it can still cause significant damage,” the Wolf team wrote in their report, in which big game hunting refers to crooks specifically targeting large, wealthy corporations in hopes of one infect big payday . “Home users were the likely target of this malware based on the supported OS versions and UAC bypass.”
Microsoft’s SmartScreen is designed, among other things, to block obviously malicious files or warn users if a file looks suspicious, but the contents of the Magniber ZIP archive managed to bypass this process entirely. That is: there is a flaw in Windows that was exploited so that the MotW flag is not applied to files from the Internet, and now a related vulnerability is exploited in which MotW is set but has no effect.
“Remember that on Windows 10 and Windows 11, opening a potentially malicious file triggers a SmartScreen scan of that file, with SmartScreen determining whether the file is ready to start or whether the user should be warned about it,” Kolsek said.
And it turns out that the script file in the Magniber ZIP bypasses SmartScreen due to a broken Authenticode digital signature. This signature confuses Windows, allowing the script to run only with its MotW flag set.
Dorman of Analysis tweeted on October 18, in response to Schlapfer that “if the file has this bad Authenticode signature, the SmartScreen and/or file open warning dialog will be skipped regardless of the script content, as if there is no MotW in the file.”
Microsoft’s Authenticode is a digital code signing technology that identifies the publisher and verifies that the software has not been tampered with after it has been signed and released. Dormann found that script file signatures were so malformed that Windows “couldn’t even parse them properly. This, for some reason, led Windows to trust them — and let malicious executables run without warning,” Koslek wrote.
Further investigation by Acros Security revealed that the error arose because SmartScreen returned an error when attempting to parse the corrupted signature, which caused the operating system to run the program and infect the computer without raising an alert.
Acros’ latest micropatch, released on October 28, works for Windows 11 version 21H2, eight versions of Windows 10 including 21H1 and 21H2, and Windows Server versions 2019 and 2022, we’re told.
A Microsoft spokesperson shared this latest vulnerability with us: “We are aware of the technology and are investigating to determine the appropriate steps to resolve the issue.” ®
https://www.theregister.com/2022/11/01/microsoft_motw_malware_flaw/ Unofficial Fix Emerges for Windows Bug Exploited in the Wild • The Register