Windows: 0Patch Micropatch for MOTOW ZIP file bug (0-day, no CVE)

Sicherheit (Pexels, allgemeine Nutzung)[German]Since May 2022, a bug has been known to exist in Windows that prevents the "Mark of the Web" flag from being set for files extracted from ZIP archives. Microsoft itself has not yet released a patch for this 0-day vulnerability. The vulnerability is already being exploited. Therefore, ACROS Security has addressed the problem and developed a 0Patch micropatch to close it. The patch is freely available, only the 0patch agent is needed.


Mitja Kolsek, the founder of ACROS Security informed me about this micropatch in a personal message a few hours ago, but also made the issue public in the following tweet as well as the details in this blog post.  

Bypassing "Mark of the Web" in ZIP archived

What is MOTW about?

Windows can display a security warning before opening and launching an executable file downloaded from the Internet. This "Smart App Control" only works with files that have the Mark of the Web (MOTW) flag set. Smart App Control is intended to provide better protection against new and emerging threats in Windows 11 by blocking malicious or untrusted apps. Smart App Control also helps block potentially unwanted apps. These are apps that can cause your device to run slowly, display unexpected ads, offer additional software that is not wanted by the user. Microsoft Office also blocks macros in documents with MOTW (source).

Bug prevents Windows set the MOTW flag

Attackers therefore try to avoid marking their malicious files with MOTW. A bug in Windows allows attackers to create a ZIP archive in such a way that extracted malicious files are not marked with MOTW. Security researcher Will Dormann discovered a vulnerability in Windows in May 2022. 

ZIP MotW vulnerability


This vulnerability allows an attacker to prevent Windows from setting the "Mark of the Web" mark for files extracted from a ZIP archive. This is true even if the ZIP archive comes from an untrusted source such as the Internet, an email, or a USB stick. This renders Microsoft's nice security solutions ineffective.

Will informed Microsoft about this problem in July, but an official solution has not been provided yet. In the meantime, the vulnerability is apparently being exploited in the wild. So far, however, there is no patch and not even a CVE identifier for it. 

The 0Patch solution

ACROS Security has analyzed the vulnerability and released micropatches for it. These are available for free via the 0patch agent until Microsoft has released the official fix. Details on how it works can be found out in this blog post and the embedded video.

Notes on how the 0patch agent works, which loads the micropatches into memory at an application's runtime, can be found in blog posts (such as here).

Similar articles:
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2
0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec
0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability
0patch fixes 0-day in Internet Explorer
0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R2
0patch fixes Windows Installer LPE-Bug (CVE-2021-26415)
0Patch provides support for Windows 10 version 1809 after EOL
Windows 10 V180x: 0Patch fixes IE vulnerability CVE-2021-31959
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 6, 2021)
2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)
Windows 10: 0patch fix for MSHTML vulnerability (CVE-2021-40444)
0patch fixes LPE Vulnerability (CVE-2021-34484) in Windows User Profile Service
0patch fixes LPE vulnerability (CVE-2021-24084) in Mobile Device Management Service
0patch fixes InstallerTakeOver LPE 0-day vulnerability in Windows
0patch fixes ms-officecmd RCE vulnerability in Windows
0patch fixes RemotePotato0 vulnerability in Windows
0patch fixes again vulnerability CVE-2021-34484 in Windows 10/Server 2019
0Patch fixes vulnerabilities (CVE-2022-26809 and CVE-2022-22019) in Windows
Windows MSDT 0-day vulnerability "DogWalk" receives 0patch fix
0patch fixes all known and exploitable Windows NTLM/Kerberos vulnerabilities
0patch fixes Memory Corruption vulnerability (CVE-2022-35742) in Microsoft Outlook 2010
Windows 7/Server 2008 R2 receive 0patch micropatches in 2023 and 2024

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *