Friday, October 11, 2024
HomeCyber Security NewsAn Unofficial Patch Has Been Released for Actively Exploited Windows MoTW Zero-Day

An Unofficial Patch Has Been Released for Actively Exploited Windows MoTW Zero-Day

Published on

Malware protection

There is an unofficial patch from 0patch for a Zero-Day flaw in Microsoft Windows that allows bypassing the MotW (Mark-of-the-Web) protections that are built into the operating system and at moment it’s actively exploited.

By utilizing files signed with malformed signatures, this zero-day flaw is able to bypass MotW protections. Various legacy Windows versions as well as all versions that are supported by Microsoft are affected by the issue.

It has been determined by cybersecurity analysts that the Magniber ransomware was being installed on victims’ devices with the help of stand-alone JavaScript files by threat actors.

- Advertisement - SIEM as a Service
https://twitter.com/wdormann/status/1583179494189592576

Mark-of-the-Web Flaw Warning

Microsoft adds a Mark-of-the-Web flag to a file that is downloaded from the Internet by a user when they click on it. Upon launching the file, the OS displays a security warning that indicates that the file has security issues.

Magniber JavaScript files are completely different from their counterparts. As for these files, no security warnings were shown, though the files contained a MoTW and were launched from Windows.

It was uncovered by a senior vulnerability analyst at ANALYGENCE, Will Dormann that one of the JavaScript files contained a malformed digital signature that was being used for signing them.

https://twitter.com/wdormann/status/1582458287915573249

As a result, upon opening a file containing malformed signatures, the program will automatically be run by Microsoft Windows by default.

While apart from this, Windows SmartScreen not being able to parse the malformed signature in a file causes this bug to occur. 

As a result, Windows will unnecessarily permit a program to run when SmartScreen cannot parse the signature instead of raising an error message.

Unofficial Patch

0patch released this unofficial security patch to fix this flaw since it’s a critical zero-day vulnerability and is exploited by threat actors vigorously in the wild.

https://youtu.be/aou4gXQFepg

Why this patch has been tagged as “Unofficial”?

This patch is tagged as unofficial due to its release source, in short, this patch has not been released by Microsoft itself. 

But, until the release of any official patch from Microsoft, users can use this security patch to keep their systems protected against threat actors exploiting this zero-day flaw.

Free Micropatch Availability

Due to this zero-day vulnerability, multiple Windows versions are affected and here below we have mentioned all the affected versions of Windows that are eligible for the free micropatches:-

  • Windows 11 v21H2
  • Windows 10 v21H2
  • Windows 10 v21H1
  • Windows 10 v20H2
  • Windows 10 v2004
  • Windows 10 v1909
  • Windows 10 v1903
  • Windows 10 v1809
  • Windows 10 v1803
  • Windows Server 2022
  • Windows Server 2019 

The installation process for this micropatch will require an account on the 0patch website, and it can be created for free. Once done, you’ll need to download its agent for your Windows device which will automatically install this patch.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...