Windows and the "Mark of the Web" (MotW) security problem

Windows[German]It was a report the other day that BlueNoroff APT hackers are using new techniques to bypass Windows' "Mark of the Web" protections that prompted me to bring the topic up again on the blog. That's because MotW, as it's called for short, has come up more frequently in recent months – first because Microsoft wouldn't close a MotW vulnerability. And then it released a patch for a vulnerability after all.


Background: Mark of the Web

Files from the Internet or similar sources could contain malware. Therefore, Microsoft came up with a security mechanism years ago where these files are marked with a Mark of the Web (MOTW) flag. Windows can display a security warning before opening and starting an executable file with a MotW flag set.

The Smart App Control protection feature, for example, evaluates this flag and is supposed to provide better protection against new and emerging threats in Windows 11 by blocking malicious or untrusted apps. Smart App Control is also meant to help block potentially unwanted apps. These are apps that can cause your device to run slowly, display unexpected ads, offer additional software that is not wanted by the user. Microsoft Office also blocks macros in documents with MOTW (source).

Die Schutzfunktionwertet beispielsweise dieses Flag aus und soll in Windows 11 einen besseren Schutz vor neuen und aufkommenden Bedrohungen bieten, indem bösartige oder nicht vertrauenswürdige Apps blockiert werden. Smart App Control soll auch dabei helfen, potenziell unerwünschte Apps zu blockieren. Hierbei handelt es sich um Apps, die dazu führen können, dass Ihr Gerät langsam läuft, unerwartete Werbung angezeigt wird, zusätzliche Software angeboten wird, die vom Nutzer nicht erwünscht ist. Auch Microsoft Office blockiert Makros in Dokumenten mit MOTW (Quelle).

The MotW-Bug

I had already addressed it in the blog post Windows 0-day (Mark of the Web) used for ransomware attacks via JavaScript. Malicious attackers try to bypass the MotW security mechanism by finding ways to smuggle malicious files from the Internet onto victims' systems without the flag set.

ZIP MotW vulnerability


Security researcher Will Dormann came across this vulnerability in Windows in May 2022, which allows an attacker to prevent Windows from setting the "Mark of the Web" mark for files extracted from a ZIP archive. This is true even if the ZIP archive comes from an untrusted source such as the Internet, an email, or a USB stick. This renders Microsoft's nice security solutions ineffective.

… and Microsoft's fail

Will Dormann had informed Microsoft about this problem in July 2022, but an official solution had not been provided yet. There was neither a patch, let alone a CVE identifier for the vulnerability, which did not go unnoticed. This is because this vulnerability has apparently been exploited in the wild for several months (see also Windows 0-day (Mark of the Web) used for ransomware attacks via JavaScript).

Therefore, ACROS Security has addressed the issue and developed a 0Patch micropatch to close it. The patch is freely available since October 2022, only the 0patch agent is required. I had reported about this free micropatch in the blog post Windows: 0Patch micropatch for MotW bypassing 0-day (no CVE), which blocks the exploitability of the vulnerability.

As recently as the November 2022 patchday, a fix for Mark of the Web (MotW) is mentioned in Microsoft's summary (see Microsoft Security Update Summary (November 8, 2022)) without revealing details. Will Dormann had then given some hints about the MotW vulnerability CVE-2022-41091 in this tweet.

Dormann about MotW vulnerability CVE-2022-41091

In December, there was a follow-up on patchday (see Microsoft Security Update Summary (December 13, 2022)). Microsoft confirmed a fix for another MoTW vulnerability CVE-2022-44698 Windows SmartScreen security feature bypass vulnerability (MoTW), but classified it as moderate.

BlueNoroff APT hackers abuses MotW

Then, in late December 2022, there was a warning that the BlueNoroff APT group was using the Mark of the Web (MotW) vulnerability to drive attacks against victims. The BlueNoroff APT hackers are using new techniques to bypass Windows' Mark of the Web protections.

BlueNoroff APT hackers are abusing MotW

BlueNoroff APT is a subgroup of the Lazarus Group (suspected to be North Korea). The attackers use a novel infection chain that includes optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats. All with the aim of evading the MotW flag and detection by Microsoft's security solutions. Kaspersky has uncovered the attack, and The Hacker News has put it all together in this blog post.

It is not clear from either post whether these infection vectors are prevented by the Windows security updates released by Microsoft (or by the 0patch solution). However, the outline above shows how slow Microsoft often is in responding to reported vulnerabilities and then being shown up by attackers. This was spontaneously in my mind while writing this article, because at the moment "voodoo is being blown again" because Windows 7 SP1, Windows 8.1 and Windows Server 2008 R2 will receive security updates for the last time on January 10, 2023. On January 11, 2023, the IT security of the Occident will collapse – because only Windows 10 /11 contain the "good" security vulnerabilities, which will hopefully be patched at some point.

In the future, it will be a matter of how administrators secure their systems so that various attack vectors cannot occur in the first place. In addition to timely updates (which are becoming a lottery due to numerous bugs), other measures such as limiting the number of executable applications, monitoring the systems using EDR and SIEM solutions, etc. are also part of this. Relying on "Microsoft will already patch" has already worked more badly than well in the past.

Similar article:
Windows: 0Patch micropatch for MotW bypassing 0-day (no CVE)
Microsoft Security Update Summary (November 8, 2022)
Microsoft Security Update Summary (December 13, 2022)
Windows 0-day (Mark of the Web) used for ransomware attacks via JavaScript


Cookies helps to fund this blog: Cookie settings


This entry was posted in Allgemein. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *