A vulnerability that allowed attackers to bypass the Windows Mark of the Web (MotW) security mechanism has been unofficially fixed thanks to the 0patch micropatching service (opens in new tab).
MoTW automatically flags all files and executables downloaded from untrustworthy sources over the Internet, including zipped archives.
Different versions of the patch are now available for Windows 10 v1803 and later, Windows 7 with or without Extended Security Updates (ESU), Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2 and Windows Server 2008 R2 with or without ESU.
Misuse of ZIP archives
MOTW instructs system administrators to be extra cautious by marking files and archives from untrusted sources, and displays messages warning them that running an untrusted file could result in a system compromise.
However, according to BleepingComputer (opens in new tab)Will Dormann, Senior Vulnerability Analyst at ANALYGENCE, discovered last summer that .zip archives were not properly adding the required MoTW tags, leaving many users at risk of malware, ransomware, and myriad other problems.
in one last twitter thread (opens in new tab)Dormann claims to have reported the issue to Microsoft in August 2022, and he also claims that the company opened and read the report but has not yet patched it (opens in new tab) it.
Until then, users can switch to 0patch, register an account and install the agent themselves. After that, the patches are applied automatically as soon as the agent is started and do not require a system restart.
Microsoft has failed to patch the vulnerability, although it has become a popular bug exploit for attackers since Dormann’s disclosure last summer.
It is currently not clear if 0patch’s action will spur Microsoft to take official action to protect more systems by releasing an official patch, although the bug report, which has been ignored for over 90 days, does not bode well.
Via: BleepingComputer (opens in new tab)
https://www.techradar.com/news/bypass-for-windows-trusted-file-label-gets-unofficial-patch Bypass for Windows trusted file label gets unofficial patch