Security News > 2022 > November > Microsoft fixes MoTW zero-day used to drop malware via ISO files
Windows has fixed a bug that prevented Mark of the Web flags from propagating to files within downloaded ISO files, dealing a massive blow to malware distributors and developers.
The MoTW flag is added to files as an alternate data stream called 'Zone.Identifier,' which includes what URL security zone the file is from, the referrer, and the URL to the file.
As part of the November Patch Tuesday updates, Microsoft fixed numerous vulnerabilities that allowed threat actors to craft files that can bypass the Mark of the Web security feature.
According to Bill Demirkapi, an engineer in Microsoft MSRC's Vulnerability and Mitigations team, a bug was fixed that prevented the MoTW flag from propagating to files inside an ISO disk image.
While a downloaded or attached ISO file will contain the Mark of the Web and issue a warning when opened, the bug caused the MoTW flag not to be propagated to non-Microsoft Office file types, such as Windows Shortcuts.
Another bug Dormann found remains unfixed, allowing stand-alone JavaScript files to bypass the MoTW warnings and automatically execute the script if the file is signed using a malformed signature.
News URL
Related news
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Botnet exploits GeoVision zero-day to install Mirai malware (source)
- Microsoft launches Zero Day Quest hacking event with $4 million in rewards (source)
- Microsoft announces Zero Day Quest hacking event with big rewards (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- Microsoft fixes exploited zero-day (CVE-2024-49138) (source)