Windows - Mark of the Web - CVE-2022-41091

Microsoft fixed a flaw exploited to distribute malware

In its November 2022 Patch Tuesday, Microsoft fixed a bug in the handling of the Mark of the Web marker within ISO images, which should help block certain attacks that have so far relied on malicious ISO images. .

Before talking about this security issue, let’s talk about the “Mark of the Web” (MoTW) tag itself. When a file comes from the Internet, Windows identifies it thanks to this famous marker, which then makes it possible to adopt an appropriate behavior. For example, if it is a Word file from the Internet, then it is opened in protected mode. For it, the file has an attribute named “Zone.Identifier” which allows a file to be assigned to a zone : local computer, trusted sites, Internet, etc… A very important marker and supported by Windows, as well as by some software (Microsoft Office, 7-Zip, etc.).

CVE-2022-41091: a security issue related to ISO images

Since Windows 8, it is possible to mount an ISO image with a simple “double click”. This has the effect of creating a virtual drive on the system, and this drive gives access to the contents of the ISO image.

Bill Demirkapi, an engineer on the Microsoft MSRC team, says thata vulnerability has been fixed in the handling of the MoTW marker within ISO images. In effect, marker was not propagated to files contained in an ISO image. Therefore, an ISO image from the Internet was identified except that the files inside this image did not. Finally, it all depends on the type of files, because it worked for Microsoft Office documents, but not for “.LNK” links which allows to point to any element. A boon for cybercriminals who were able to use this weakness to spread malware via phishing campaigns.

If a user mounts an ISO image and opens a malicious “LNK” file, it will be executed automatically by Windows without displaying any warning. Normally, a confirmation window appears when the file comes from the Internet, but this is not the case. Thanks to the November 2022 update, the CVE-2022-41091 vulnerability is fixed.

CVE-2022-41049: bypassing MoTW with ZIP archives

In addition to this security flaw, Microsoft has fixed the CVE-2022-41049 vulnerability, also associated with the Mark of the Web function. Will Dormann, the originator of this discovery, mentioned two ways to exploit this security flaw.

The first method allows to crash Windows SmartScreen under Windows 11 22H2 and to bypass security warnings when opening files contained within ZIP archives.

Baptized “ZippyReads“, the second method is to create a ZIP archive containing a read-only file. When this archive is opened in Windows Explorer, the MoTW flag is not propagated to this read-only file, allowing it to be run without encountering the security warning.

As of today, there is believed to be another vulnerability in MoTW discovered by Will Dormann that will not be patched. Indeed, when a JavaScript script is used and it contains a malformed signature, it can be executed on the machine without any warning.

The danger comes and will continue to come through the Internet and through malicious files, so be wary. As a reminder, my full article about Patch Tuesday is available at the address below. This month, Microsoft patched 68 vulnerabilities and 6 zero-day flaws, including those in Microsoft Exchange Server.


Logiciel – OS,Sécurité,Microsoft,Windows,

#Microsoft #fixed #flaw #exploited #distribute #malware

Leave a Comment

Your email address will not be published. Required fields are marked *