November 2, 2022

A cybersecurity company has released a free unofficial patch to fix an actively exploited Windows bug that allows files signed with erroneous signatures to avoid Mark-of-the-Web security warnings in Windows 10 and 11.

Previously, the threat actors used standalone JavaScript files to install the Magniber ransomware on the devices of the victims, especially on home PCs.

When a user downloads a file from the Internet, Microsoft adds a Mark-of-the-Web flag to the file, which causes the operating system to display security warnings when the file is opened. Magniber JavaScript files stand out because they contain a Mark-of-a-Web, and when they were launched, Windows did not display any security warnings.

It turns out that it is possible to bypass this feature and not attach the MotW flag to files downloaded from the Internet, thus bypassing all protection mechanisms when opening them. For example, an attacker could prevent Windows from placing the MotW flag on files extracted from an untrusted ZIP archive. Scammers could exploit this vulnerability to cause users to open ZIP archives and execute malicious software without triggering the expected security precautions.

Since this zero-day vulnerability is actively used for ransomware attacks, the micro-patching service 0patch has decided to release an unofficial fix that can be used until Microsoft releases an official security update.

A Microsoft spokesman said of the latest vulnerability: “We are aware of the technique and are investigating to determine the appropriate steps to address the issue.”

The sources for this piece include an article in TheRegister.