February 2, 2023

0patch released an unofficial patch for an actively exploited security vulnerability in Microsoft Windows that allows bypassing Mark-of-the-Web (MotW) protections by using files signed with malformed signatures.

The issue affects all supported and multiple legacy Windows versions. A recent Magniber campaign targeting Windows home users with fake security updates.

Researcher explained that malicious files extracted from the attacker’s ZIP files were executed without security warnings even if they missed the Mark of the Web.

Advertisements

To protect from unauthorized actions, files downloaded from the internet in Windows are tagged with a MotW flag. The corrupt Authenticode signatures allow the execution of arbitrary executables without any SmartScreen warning.

Windows fails to properly parse the signature and for this reason, trusts them and lets malicious executables execute without a warning.

The malformed signature discovered will caused SmartScreen.exe to throw an exception when the signature could not be parsed, resulting in SmartScreen returning an error.

Leave a Reply

%d bloggers like this: