Security News > 2022 > October > Actively exploited Windows MoTW zero-day gets unofficial patch
A free unofficial patch has been released for an actively exploited zero-day that allows files signed with malformed signatures to bypass Mark-of-the-Web security warnings in Windows 10 and Windows 11.
What made these Magniber JavaScript files stand out was that even though they contained a Mark-of-a-Web, Windows did not display any security warnings when they were launched.
When a malicious file with one of these malformed signatures is opened, instead of being flagged by Microsoft SmartScreen and showing a security warning, Windows would automatically allow the program to run.
As this zero-day vulnerability is actively exploited in ransomware attacks, the 0patch micro-patching service decided to release an unofficial fix that can be used until Microsoft releases an official security update.
In a 0patch blog post, co-founder Mitja Kolsek explains that this bug is caused by Windows SmartScreen's inability to parse the malformed signature in a file.
"While our patch fixes the most obvious flaw, its utility depends on the application opening the file using function DoSafeOpenPromptForShellExe in shdocvw.dll and not some other mechanism," warns Kolsek.
News URL
Related news
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included (source)
- Telegram fixes Windows app zero-day caused by file extension typo (source)
- Telegram fixes Windows app zero-day used to launch Python scripts (source)
- CrushFTP warns users to patch exploited zero-day “immediately” (source)
- Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability (source)
- Apple backports iOS zero-day patch, adds Bluetooth tracker alert (source)
- Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws (source)
- Microsoft fixes Windows zero-day exploited in QakBot malware attacks (source)
- May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040) (source)