Security News > 2022 > November > Microsoft fixes MoTW zero-day used to drop malware via ISO files

Microsoft fixes MoTW zero-day used to drop malware via ISO files
2022-11-10 22:18

Windows has fixed a bug that prevented Mark of the Web flags from propagating to files within downloaded ISO files, dealing a massive blow to malware distributors and developers.

The MoTW flag is added to files as an alternate data stream called 'Zone.Identifier,' which includes what URL security zone the file is from, the referrer, and the URL to the file.

As part of the November Patch Tuesday updates, Microsoft fixed numerous vulnerabilities that allowed threat actors to craft files that can bypass the Mark of the Web security feature.

According to Bill Demirkapi, an engineer in Microsoft MSRC's Vulnerability and Mitigations team, a bug was fixed that prevented the MoTW flag from propagating to files inside an ISO disk image.

While a downloaded or attached ISO file will contain the Mark of the Web and issue a warning when opened, the bug caused the MoTW flag not to be propagated to non-Microsoft Office file types, such as Windows Shortcuts.

Another bug Dormann found remains unfixed, allowing stand-alone JavaScript files to bypass the MoTW warnings and automatically execute the script if the file is signed using a malformed signature.


News URL

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-motw-zero-day-used-to-drop-malware-via-iso-files/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2819 161 4399