Unofficial fix emerges for exploited Windows bug in the wild

Unofficial fix emerges for exploited Windows bug in the wild

A cybersecurity firm has released another unofficial patch to eliminate a bug in Windows that Microsoft has yet to fix, with this hole being actively exploited to distribute ransomware.

Go back to October 17 and Acros Security released a small binary patch to fix a flaw in Microsoft’s Mark-of-the-Web (MotW) feature. This feature is supposed to set a flag in the metadata for files obtained from the Internet, USB drives, and other untrusted sources. This flag ensures that when these files are opened, additional security protections kick in, such as Office blocking macros from running or the operating system verifying that the user really wanted to run that .exe.

It turns out that this feature can be bypassed and files downloaded from the web do not carry the MotW flag, thus bypassing all these protections when opened. Specifically, an attacker could prevent Windows from putting the MotW flag on files extracted from a ZIP archive obtained from an untrusted source. This can be exploited by malefactors to lure brands into opening ZIP archives and execute malware there without triggering expected security protections. The bug has been discovered months ago by Will Dormann, Senior Vulnerability Analyst at Analygence.

Microsoft has yet to correct this oversight. On October 10, IT watcher Kevin Beaumont said the bug was being exploited in nature. Acros released a micropatch about a week later that can be applied to fill that hole while you wait for Redmond to catch up.

Now Acros has released another patch that fixes a related MotW security hole in Windows that Microsoft has yet to fix.

What’s new?

Just days before the first patch was released, HP Wolf Security shared a report of a series of ransomware infections in September, each of which began with a download from the web. Victims were instructed to retrieve a ZIP archive containing a JavaScript file masquerading as an antivirus or Windows software update.

The script, when executed, actually deployed Magniber, a ransomware strain aimed at Windows home users. It scrambles documents and can extort up to $2,500 from victims to restore their data, according to Wolf Security.

“Even though Magniber does not fall into the category of big game hunting, it can still cause significant damage,” the Wolf team wrote in their report, where big game hunting refers to scammers specifically infecting large, wealthy corporations hoping for a big payday. . “Home users were the likely target of this malware based on supported OS versions and UAC bypass.”

Above all, Patrick Schlapfer, Malware Analyst at HP Noted than malicious JavaScript in the Magniber ZIP archive did carry the MotW flag but are still executed without a SmartScreen alert appearing to stop the requested action or warn the user not to proceed, as would be expected for an archive fetched from the Internet. Mitja Kolsek, CEO of Acros, confirmed that SmartScreen was bypassed by the Magniber script.

Microsoft’s SmartScreen is supposed to, among other things, block obvious malicious files or warn users if a file looks suspicious, but the contents of the Magniber ZIP archive were able to circumvent this process entirely. That is: there is a bug in Windows that has been exploited so that the MotW flag is not applied to files coming from the Internet, and now there is exploitation of a related vulnerability in which MotW is set but it has no effect.

“Remember that on Windows 10 and Windows 11, opening any potentially dangerous file triggers a SmartScreen inspection of that file, where SmartScreen determines if the file is ready to launch or if the user should be notified” , Kolsek said.

And it turns out that the script file in the Magniber ZIP bypasses SmartScreen due to a broken Authenticode digital signature. This signature confuses Windows so that the script is simply allowed to run even if its MotW flag is set.

Dormann of Analysis tweeted on October 18 in response to Schlapfer that “if the file has this malformed Authenticode signature, the SmartScreen warning and/or open file dialog will be skipped regardless of the contents of the script, as if it doesn’t there was no MotW on the file.”

Microsoft’s Authenticode is a digital code signing technology that identifies the publisher and verifies that software has not been tampered with after it has been signed and released. Dormann discovered that the script file’s signature was malformed to the point that Windows “couldn’t even parse them properly. This, for some particular reason, led Windows to trust them – and let malicious executables run without warning,” Koslek wrote.

Further inspection by Acros Security revealed that the flaw occurred because SmartScreen, while trying to parse the malformed signature, returned an error, which caused the operating system to run the program and infect the machine. without triggering a warning.

Acros’ latest micropatch, released on October 28, works for Windows 11 version 21H2, eight versions of Windows 10 including 21H1 and 21H2, and Windows Server versions 2019 and 2022, we’re told.

A Microsoft spokesperson told us about this latest vulnerability: “We are aware of the technique and are investigating to determine appropriate steps to resolve the issue.” ®

#Unofficial #fix #emerges #exploited #Windows #bug #wild

Leave a Comment

Your email address will not be published. Required fields are marked *