{"id":77881,"date":"2022-11-14T09:42:38","date_gmt":"2022-11-14T01:42:38","guid":{"rendered":"https:\/\/x-phy.com\/?p=77881"},"modified":"2025-09-30T07:20:54","modified_gmt":"2025-09-30T07:20:54","slug":"windows-motw-zero-day-gets-unofficial-patch","status":"publish","type":"post","link":"https:\/\/x-phy.com\/windows-motw-zero-day-gets-unofficial-patch\/","title":{"rendered":"Windows MoTW Zero-Day gets unofficial patch"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"77881\" class=\"elementor elementor-77881\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-62fa098 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"62fa098\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-07be6d9\" data-id=\"07be6d9\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fa9406c elementor-widget elementor-widget-text-editor\" data-id=\"fa9406c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><a href=\"https:\/\/www.comparitech.com\/blog\/information-security\/cybersecurity-vulnerability-statistics\/\" target=\"_blank\" rel=\"noopener\">Comparitech<\/a> disclosed that over 8,000 <a href=\"https:\/\/x-phy.com\/zero-day-exploit-automotive-industry\/\">zero-day vulnerabilities<\/a> were published as of now in Q1 of 2022. A zero-day (or 0-day) attack is a software vulnerability exploited by attackers before it comes into a vendor\u2019s knowledge. The uncertainty of being ambushed by\u00a0<a href=\"https:\/\/x-phy.com\/category\/blog\/cyber-news\/\" target=\"_blank\" rel=\"noopener\">zero-day attacks<\/a> keeps software vendors and independent security researchers on the edge who are on a constant lookout for an overlooked vulnerability. On the discovery of such a security flaw the vendors quickly issue a code fix also known as \u2018patch\u2019 inorder to place a defense mechanism in place safeguarding the vulnerable system. Users of the software install the patch to protect themselves from security holes that allow attackers to gain unauthorized access to, damage or compromise a system. This is especially crucial as <a class=\"\" href=\"https:\/\/x-phy.com\/glossary\/attack-vectors\/\" target=\"_new\" rel=\"noopener\" data-start=\"1265\" data-end=\"1325\">attack vectors<\/a> continue to evolve and target endpoint-level vulnerabilities.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-508ddef elementor-widget elementor-widget-text-editor\" data-id=\"508ddef\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The report published by <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/actively-exploited-windows-motw-zero-day-gets-unofficial-patch\/\" target=\"_blank\" rel=\"noopener\">bleepingcomputer<\/a> delineates the disclosure of a free unofficial patch for fixing an actively exploited zero-day vulnerability for Windows 10 and Windows 11 that Microsoft has yet to fix. The vulnerability patch released by the cybersecurity company overhauls the Windows\u2019 bug that permits files signed with erroneous signatures to avoid\u00a0<a href=\"https:\/\/x-phy.com\/glossary\/data-compliance\/\" target=\"_blank\" rel=\"noopener\">Mark-of-the-Web<\/a>\u00a0(MoTW) security warnings. Bleepingcomputer brought into spotlight earlier that the threat actors used standalone JavaScript files to install the\u00a0<a href=\"https:\/\/x-phy.com\/glossary\/ransomware-attacks\/\" target=\"_blank\" rel=\"noopener\">Magniber ransomwar<\/a>e and proliferated the victims\u2019 devices with fake security updates. While files downloaded from the internet in Windows are tagged with a MotW flag to prevent unauthorized actions, it has since been found that the corrupt Magniber JavaScript files even contained a Mark-of-a-Web flag yet the Windows was unable to display any security warnings when they were launched. After analysis the senior vulnerability analyst at Analygence, Will Dorman, established that the Magniber JavaScript files were digitally signed using a malformed signature to exploit the vulnerability. These types of attacks can potentially bypass both OS-level defenses and traditional antivirus tools, which is why <a class=\"\" href=\"https:\/\/x-phy.com\/products\/endpoint-security\/secure-ssd\/\" target=\"_new\" rel=\"noopener\" data-start=\"2710\" data-end=\"2789\">endpoint protection<\/a> with hardware-level detection is critical.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-25bead9 elementor-widget elementor-widget-text-editor\" data-id=\"25bead9\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>It eventually transpired that it is possible to bypass the MotW flag, thus side-stepping all those protections when opened. Specifically, an attacker could prevent Windows from putting the MotW flag on files extracted from a ZIP archive obtained from an untrusted source. This can be exploited by miscreants to cause users to open ZIP archives and execute malicious software without triggering the expected security precautions.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8e733e1 elementor-widget elementor-widget-text-editor\" data-id=\"8e733e1\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Since this zero-day vulnerability is actively used for ransomware attacks, the micro-patching service 0patch has decided to issue an unofficial fix that can be used until Microsoft disseminates an official security update. The 0patch blog post, co-founder Mitja Kolsek explains that the <a href=\"https:\/\/x-phy.com\/products\/enterprise\/server-defender\/\">zero-day<\/a> bug is the result of SmartScreen returning an exception when parsing the malformed signature, which is incorrectly interpreted as a decision to run the program rather than trigger a warning. These types of logic flaws are why <a class=\"\" href=\"https:\/\/x-phy.com\/products\/endpoint-security\/secure-laptop\/\" target=\"_new\" rel=\"noopener\" data-start=\"4024\" data-end=\"4118\">firmware-level AI cybersecurity<\/a> is gaining rapid adoption in the enterprise space.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ca49969 elementor-widget elementor-widget-text-editor\" data-id=\"ca49969\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Microsoft told BleepingComputer that they are aware of the issue and are investigating it to determine the appropriate steps of remediation. While Microsoft is working on the patch development the fact that the vulnerability is now known enhances the potential for <a href=\"https:\/\/x-phy.com\/sme-cyber-attack\/\">further attacks.<\/a> It is urged for both the users and administrators to apply the vulnerability patch while awaiting an official patch from Microsoft.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Comparitech disclosed that over 8,000 zero-day vulnerabilities were published as of now in Q1 of 2022. A zero-day (or 0-day) attack is a software vulnerability exploited by attackers before it [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":77888,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","inline_featured_image":false,"footnotes":""},"categories":[15],"tags":[],"class_list":["post-77881","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trends-and-developments"],"_links":{"self":[{"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/posts\/77881","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/comments?post=77881"}],"version-history":[{"count":1,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/posts\/77881\/revisions"}],"predecessor-version":[{"id":110086,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/posts\/77881\/revisions\/110086"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/media\/77888"}],"wp:attachment":[{"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/media?parent=77881"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/categories?post=77881"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/tags?post=77881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}