Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Actively exploited Windows MoTW zero-day gets unofficial patch

A free unofficial patch has been released for an actively exploited zero-day that allows files signed with malformed signatures to bypass Mark-of-the-Web security warnings in Windows 10 and Windows 11.

Last weekend, BleepingComputer reported that threat actors were using stand-alone JavaScript files to install the Magniber ransomware on victims’ devices.

When a user downloads a file from the Internet, Microsoft adds a Mark-of-the-Web flag to the file, causing the operating system to display security warnings when the file is launched, as shown below.

Windows Mark-of-the-Web security warning
Windows Mark-of-the-Web security warning
Source: BleepingComputer

What made these Magniber JavaScript files stand out was that even though they contained a Mark-of-a-Web, Windows did not display any security warnings when they were launched.

After being analyzed by Will Dormann, a senior vulnerability analyst at ANALYGENCE, he discovered that the JavaScript files were digitally signed using a malformed signature.

When a malicious file with one of these malformed signatures is opened, instead of being flagged by Microsoft SmartScreen and showing a security warning, Windows would automatically allow the program to run.

The image below demonstrates how the vulnerability allows a file (‘calc-othersig.js’) with a malformed signature to bypass the Mark-of-the-Web security warning.

Demonstration of the Windows zero-day bypassing security warnings
Demonstration of the Windows zero-day bypassing security warnings
Source: BleepingComputer

Microsoft told BleepingComputer that they were aware of the issue and investigating it.

Free unofficial patch released

As this zero-day vulnerability is actively exploited in ransomware attacks, the 0patch micro-patching service decided to release an unofficial fix that can be used until Microsoft releases an official security update.

In a 0patch blog post, co-founder Mitja Kolsek explains that this bug is caused by Windows SmartScreen’s inability to parse the malformed signature in a file.

When SmartScreen can’t parse the signature, Windows will incorrectly allow the program to run rather than displaying an error.

“The malformed signature discovered by Patrick and Will caused SmartScreen.exe to throw an exception when the signature could not be parsed, resulting in SmartScreen returning an error,” explains Kolsek.

“Which we now know means “Run”.”

Kolsek warned that though their patch fixes the majority of attack scenarios, there could also be situations that bypass his patch.

“While our patch fixes the most obvious flaw, its utility depends on the application opening the file using function DoSafeOpenPromptForShellExe in shdocvw.dll and not some other mechanism,” warns Kolsek.

“We’re not aware of another such mechanism in Windows, but it could technically exist.”

Until Microsoft releases official updates to address the flaw, 0patch has developed free patches for the following affected Windows versions:

Advertisement. Scroll to continue reading.
  1. Windows 11 v21H2
  2. Windows 10 v21H2
  3. Windows 10 v21H1
  4. Windows 10 v20H2
  5. Windows 10 v2004
  6. Windows 10 v1909
  7. Windows 10 v1903
  8. Windows 10 v1809
  9. Windows 10 v1803
  10. Windows Server 2022
  11. Windows Server 2019 

To install the micropatch on your Windows device, you will need to register a free 0patch account and install its agent.

Once the agent is installed, the patches will be applied automatically without requiring a system restart if there are no custom patching policies to block it.

You can see 0patch’s Windows micropatches in action in the video below.

Copyright 2021 Associated Press. All rights reserved.

Source: https://www.bleepingcomputer.com/news/microsoft/actively-exploited-windows-motw-zero-day-gets-unofficial-patch/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

It was a big year for cybersecurity in 2022 with massive cyberattacks and data breaches, innovative phishing attacks, privacy concerns, and of course, zero-day...

Cyber Security

New phishing attacks use a Windows zero-day vulnerability to drop the Qbot malware without displaying Mark of the Web security warnings. When files are...

Cyber Security

Microsoft is developing a patch for two actively exploited zero-day vulnerabilities in Microsoft Exchange Server. The flaws, tracked as CVE-2022-41040 and CVE-2022-41082, were discovered in Microsoft’s enterprise...

Cyber Security

Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning. MS-SQL servers are database management systems holding...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO