Exploited Windows MotW flaw gains unofficial fix

0patch has issued an unofficial fix for an actively exploited Microsoft Windows zero-day vulnerability that could enable malformed signature-approved files to evade Mark-of-the-Web security measures, according to The Hacker News. Such a patch follows HP Wolf Security's discovery of a Magniber ransomware campaign leveraging phony security updates that include a JavaScript file that has the MotW tag, which facilitates arbitrary execution without the SmartScreen warning. Exceptions returned by SmartScreen during malformed signature parsing cause the zero-day, said 0patch co-founder Mitja Kolsek. "Attackers therefore understandably prefer their malicious files not being marked with MotW; this vulnerability allows them to create a ZIP archive such that extracted malicious files will not be marked," said Kolsek. Unofficial patches have also been issued earlier by 0patch for a separate zero-day MotW bypass vulnerability discovered by security researcher Will Dormann, which involved Windows' failure to provide the MotW identifier to specially crafted .ZIP file-extracted files.