An unofficial patch has been made available for an actively exploited security flaw in Microsoft Windows that makes it possible for files signed with malformed signatures to sneak past Mark-of-the-Web (MotW) protections.
While files downloaded from the internet in Windows are tagged with a MotW flag to prevent unauthorized actions, it has since been found that corrupt Authenticode signatures can be used to allow the execution of arbitrary executables without any SmartScreen warning.
Authenticode is a Microsoft code-signing technology that authenticates the identity of the publisher of a particular piece of software and verifies whether the software was tampered with after it was signed and published.
|Source: Will Dormann Twitter|
"If the file has this malformed Authenticode signature, the SmartScreen and/or file-open warning dialog will be skipped regardless of script contents, as if there is no MotW on the file," security researcher Will Dormann explained.
Now according to 0patch co-founder Mitja Kolsek, the zero-day bug is the result of SmartScreen returning an exception when parsing the malformed signature, which is incorrectly interpreted as a decision to run the program rather than trigger a warning.
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!Don't Miss Out – Save Your Seat!
Fixes for the flaw also come less than two weeks after unofficial patches were shipped for another zero-day MotW bypass flaw that came to light in July and has since come under active attack, per security researcher Kevin Beaumont.
The vulnerability, discovered by Dormann, relates to how Windows fails to set the MotW identifier to files extracted from specifically crafted .ZIP files.
"Attackers therefore understandably prefer their malicious files not being marked with MotW; this vulnerability allows them to create a ZIP archive such that extracted malicious files will not be marked," Kolsek said.