Wednesday, November 6, 2024

The zero-day vulnerability (MotW) in Windows analyzed

The Zero-day defined

Zero-day: A senior vulnerability analyst named Will Dormann first reported the issue at the IT solutions company Analygence. Interestingly, Dormann first reported the problem to Microsoft in July. However, despite reading the report as far back as August, a fix still needs to be made available for every affected Windows user. Dormann first reported the problem to Microsoft in July, but despite reading the report as of August, a fix is ​​still unavailable for every affected Windows user. Dormann, in September, discovered an outdated Microsoft blocklist of vulnerable drivers, exposing users to malicious drivers from 2019. Microsoft has not officially commented on the issue. Still, project manager Jeffery Sutherland joined in his series of tweets Dormann this October, saying there are already solutions available to address the issue.

The Great Phenomena of Zero-day

Tags serve as a layer of protection and security mechanism that warns your system, including other programs and applications, of potential threats and malware if a particular file is installed. Thus, by preventing attackers from applying MotW tags, the warning signals will not be executed, leaving users to ignore the threats a file may have.

Fortunately, while there is no official fix from Microsoft for this issue, 0patch offers one you can get now. “Therefore, attackers reasonably prefer not to have their malicious files marked with MOTW. this vulnerability allows them to create a ZIP file so that extracted malicious files are not flagged,” writes 0patch co-founder and ACROS Security CEO Mitja Kolsek. Position explaining the nature of MotW as an essential security mechanism in Windows. “An attacker could deliver Word or Excel files in a downloaded ZIP file that would not have their macros blocked due to the absence of MOTW (depending on Office’s macro security settings) or would escape inspection by Smart App Control.”

Features and Characteristics

Technical Details: Essentially, this bug allows an attacker to prevent Windows from setting the “Mark of the Web” flag on files extracted from a ZIP archive, even if the ZIP archive came from an untrusted source such as the Internet, email, or a USB key. Mark of the Web (MOTW) is a critical security mechanism on Windows. Windows will show a security warning before launching an executable file with MOTW, and Smart App Control only works on files with MOTW. Also, Microsoft Office blocks macros on documents with MOTW. Attackers, therefore, understandably prefer their malicious files not to be marked with MOTW; this vulnerability allows them to create a ZIP archive such that extracted malicious files will not be observed. Meanwhile, the exposure is being exploited in the wild.

Zero Day
Solution 0patche

Future Projection with 0patch

For now, reports are that the MotW flaw is still being used in the wild, while Microsoft is still mom(mom.exe)* on plans for how to fix it. However, 0patch offers free patches that can serve as temporary workarounds for different affected Windows systems until a Microsoft fix arrives. In the post, Kolsek says the patch covers systems running: Windows 11 v21H2, Windows 10 v21H2, Windows 10 v21H1, Windows 10 v20H2, Windows 10 v2004, Windows 10 v1909, Windows 10 v1903, Windows 10 v1809 v10, Windows1803 or without ESU, Windows Server 7, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2012, and Windows Server 2 R2008 with or without ESU. For current 0patch users, the patch is already available on all 0patch online agents.

Meanwhile, those new to the platform can create a free 0patch account to register a 0patch Agent. The patch application is said to be automatic and does not require a restart. *MOM.EXE: This program works behind the scenes to help graphics cards work correctly. MOM.exe is an integral part of AMD’s Catalyst Control Center, a utility that can be bundled with AMD graphics card drivers. While the driver allows the graphics card to function correctly, the Catalyst Control Center is essential if you want to change any advanced settings or monitor the card’s operation. When MOM.exe encounters a problem, Catalyst Control Center can become unstable, crash, and generate error messages.

Dimitris Kallimanis
Dimitris Kallimanis
My name is Dimitris Kallimanis. I have been working as a Risk Consultant at Deloitte Cyber ​​Security since 2019. I have a master's degree in computer security systems. I'm interested in any new technologies such as Cryptography, Cryptography Algorithms, Machine Learning, Identity Access Management, Cloud Security, Cyber ​​Security, Penetration Testing, Malware Analysis. I like to travel and I have visited 25 countries improving and opening my mind. For the last three years I have been working in three different countries and it was the one of the most interesting steps in my life!

Related Articles

Latest Articles