This article is more than 1 year old

Unofficial fix emerges for Windows bug abused to infect home PCs with ransomware

Broken code signature? LGTM, says Microsoft OS

A cybersecurity firm has issued another unofficial patch to squash a bug in Windows that Microsoft has yet to fix, with this hole being actively exploited to spread ransomware.

Rewind to October 17, and Acros Security released a small binary patch to address a flaw in Microsoft's Mark-of-the-Web (MotW) feature. This feature is supposed to set a flag in the metadata for files obtained from the internet, USB sticks, and other untrusted sources. This flag ensures that when those files are opened, extra security protections kick in, such as Office blocking macros from running or the operating system checking that the user really did want to run that .exe.

It turns out it's possible to bypass this feature, and have files downloaded from the web not carry the MotW flag, thus side-stepping all those protections when opened. Specifically, an attacker could prevent Windows from putting the MotW flag on files extracted from a ZIP archive obtained from an untrusted source. This can be exploited by miscreants to lure marks into opening ZIP archives, and running malicious software within without tripping the expected security protections. The bug was highlighted months ago by Will Dormann, a senior vulnerability analyst at Analygence.

Microsoft has yet to fix this oversight. IT watcher Kevin Beaumont on October 10 said the bug was now being exploited in the wild. Acros put out a micropatch about a week later that can be applied to close this hole while you wait for Redmond to catch up.

Now Acros has emitted another patch that addresses a related MotW security hole in Windows that Microsoft again has not yet fixed.

What's new?

Just days before the first patch was released, HP Wolf Security shared a report about a spate of ransomware infections in September that each started with a web download. Victims were told to fetch a ZIP archive that contained a JavaScript file masquerading as an antivirus or Windows software update.

The script, when run, actually deployed Magniber, a ransomware strain aimed at Windows home users. It scrambles documents and can extort as much as $2,500 from victims to restore their data, according to Wolf Security.

"Even though Magniber does not fall into the category of Big Game Hunting, it can still cause significant damage," the Wolf team wrote in its report, where Big Game Hunting refers to crooks specifically infecting large, rich enterprises in hope of a big payday. "Home users were the likely target of this malware based on the supported operating system versions and UAC bypass."

Crucially, HP malware analyst Patrick Schlapfer noted that the malicious JavaScript in the Magniber ZIP archive did carry the MotW flag but still executed without a SmartScreen alert popping up to either halt the requested action or warn the user against proceeding, as you'd expect for an internet-fetched archive. Mitja Kolsek, CEO of Acros, confirmed SmartScreen was being bypassed by the Magniber script.

Microsoft's SmartScreen is supposed to, among other things, block obvious malicious files or caution users if a file looks suspicious, but the Magniber ZIP archive's contents were able to side step that process entirely. That is to say: there's a bug in Windows that has been exploited so that the MotW flag is not applied to internet-sourced files, and now there's exploitation of a related vulnerability in which MotW is set but it has no effect.

"Remember that on Windows 10 and Windows 11, opening any potentially harmful file triggers a SmartScreen inspection of said file, whereby SmartScreen determines if the file is clear to get launched or the user should be warned about it," Kolsek said.

And it turns out the script file in the Magniber ZIP bypasses SmartScreen due to a broken digital Authenticode signature. This signature confuses Windows so that the script is just allowed to run even though its MotW flag is set.

Analygence's Dormann tweeted on October 18 in response to Schlapfer that "if the file has this malformed Authenticode signature, the SmartScreen and/or file-open warning dialog will be skipped regardless of script contents, as if there is no MotW on the file."

Microsoft's Authenticode is a digital code-signing technology that identifies the publisher and verifies the software has not been tampered with after being signed and released. Dormann found that script file signature was malformed to the point that Windows "could not even properly parse them. This, for some peculiar reason, led to Windows trusting them – and letting malicious executables execute without a warning," Koslek wrote.

Further inspection by Acros Security found that the flaw came about because SmartScreen, when trying to parse the malformed signature, returned an error, which led the operating system to run the program and infect the machine without triggering a warning.

Acros's latest micropatch, released October 28, works for Windows 11 version 21H2, eight versions of Windows 10 including 21H1 and 21H2, and Windows Server versions 2019 and 2022, we're told.

A spokesperson for Microsoft told us of this latest vulnerability: "We are aware of the technique and are investigating to determine the appropriate steps to address the issue." ®

More about

TIP US OFF

Send us news


Other stories you might like