Actively Abused Windows MoTW 0-Day Weakness Receives Unauthorized Fix

Actively Abused Windows MoTW 0-Day Weakness Receives Unauthorized Fix

An actively exploited zero-day that permits files with false signatures to go past Mark-of-the-Web security warnings in Windows 10 and Windows 11 has been fixed with a free unofficial patch. Recently, it was discovered that threat actors were employing standalone JavaScript files to infect victims’ devices with the Magniber ransomware.

Microsoft adds a Mark-of-the-Web flag to files that users download from the Internet, prompting the operating system to display security alerts when the file is run. These Magniber JavaScript files stood out because Windows did not issue any security alerts when they were launched, despite including a Mark-of-a-Web.

Will Dormann, a senior vulnerability analyst at ANALYGENCE, examined the JavaScript files and found that they were digitally signed with a flawed signature. Instead of being identified by Microsoft SmartScreen and displaying a security warning when a malicious file with one of these faulty signatures is opened, Windows would instantly permit the application to run. Microsoft acknowledged the problem and said they were looking into it.

The 0patch micro-patching service chose to provide an unauthorized repair that may be employed before Microsoft issues an official security update because this zero-day vulnerability is regularly used in ransomware campaigns. Mitja Kolsek, a co-founder of 0patch, explains in a blog post that this flaw results from Windows SmartScreen’s failure to read the file’s malicious signature. Instead of displaying an error when SmartScreen cannot interpret the signature, Windows will inadvertently permit the application to run.

“The malformed signature discovered by Patrick and Will caused SmartScreen.exe to throw an exception when the signature could not be parsed, resulting in SmartScreen returning an error,” explains Kolsek. “Which we now know means ‘Run’.”

Kolsek cautioned that while their patch fixed the majority of attack scenarios, there could be those that managed to get around it. Kolsek cautions that although their patch resolves the most glaring problem, its effectiveness depends on the program opening the file via the function DoSafeOpenPromptForShellExe in shdocvw.dll rather than another method. Although there may be another equivalent method in Windows, they are unaware of it.

Until Microsoft publishes official updates to fix the issue, 0patch has created free patches for the following vulnerable versions of Windows:

  1. Windows 11 v21H2
  2. Windows 10 v21H2
  3. Windows 10 v21H1
  4. Windows 10 v20H2
  5. Windows 10 v2004
  6. Windows 10 v1909
  7. Windows 10 v1903
  8. Windows 10 v1809
  9. Windows 10 v1803
  10. Windows Server 2022
  11. Windows Server 2019

You must create a free 0patch account and install its agent to apply the micropatch to your Windows device. If there are no special patching restrictions to prevent it, the patches will be deployed automatically after the agent has been installed without needing a system restart.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.