Windows Mark of the Web bypass zero-day gets unofficial patch



A free unofficial patch has been released through the 0patch platform to address an actively exploited zero-day flaw in the Windows Mark of the Web (MotW) security mechanism.

This flaw enables attackers to prevent Windows from applying (MotW) labels on files extracted from ZIP archives downloaded from the Internet.

Windows automatically adds MotW flags to all documents and executables downloaded from untrusted sources, including files extracted from downloaded ZIP archives, using a special ‘Zone.Id’ alternate data stream.

These MotW labels tell Windows, Microsoft Office, web browsers, and other apps that the file should be treated with suspicion and will cause warnings to be displayed to the user that opening the files could lead to dangerous behavior, such as malware being installed on the device. 

Read more…