Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Powered by MOMENTUM MEDIA
Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Explore

SECTIONS

MORE

search button

Windows zero-day vulnerability exploited by hackers

Hackers are bypassing Windows’ security warnings issued for questionable software thanks to a new Windows zero-day vulnerability.

user icon Daniel Croft
Tue, 22 Nov 2022 Security
Windows zero-day vulnerability exploited by hackers
expand image

The zero-day vulnerability allows JavaScript (JS) files to bypass security warnings.

The bypass disables Mark of the Web (MoTW), which is a piece of code that is added to files downloaded from untrustworthy locations, indicating where it came from for security purposes.

The vulnerability is being used to deliver QBot malware, a phishing tool designed to steal passwords. It is often delivered via email, but when an individual usually opens a malicious file infected with QBot, windows will issue a MoTW warning, deterring the user from proceeding. The new exploit works around this.

“While files from the internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software,” says the warning.

The workaround was discovered by senior vulnerability analyst for ANALYGENCE, Will Dormann. Without the MoTW warnings being displayed, users are much more likely to launch software that could steal or lock down their personal data.

As the vulnerability allows JS files to bypass security messages, hackers have been signing JS or other file types with an embedded base64 encoded signature block.

When Microsoft SmartScreen sees the file and modified signature, it then doesn’t flag it as dangerous, but instead allows it to run automatically.

QBot was originally distributed through a phishing campaign that used ISO images, as Windows was not correctly assigning MoTW to files within.

Cyber Daily logo
VIEW ALL

When Microsoft released its November 2022 patch, it fixed the issue by causing MoTW to propagate all files within an ISO image. Since then, hackers have switched to signing JS files with changed signatures as a means of avoiding security warning messages.

Microsoft has not announced a date for when it expects the exploit to be entirely patched but is actively working on it.

“This is only the beginning — changes take time,” Microsoft’s Bill Demirkapi said with the release of the last patch.

“There are still variants and other MoTW issues that we recently became aware of. Although MotW bypasses do not typically meet MSRC’s bar for servicing, we can make exceptions for issues that are exploited in the wild.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.
CD Logo

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED

Be the first to hear the latest developments in the cyber industry.

Copyright © 2007-2024 MOMENTUMMEDIA
Copyright & DisclaimersPrivacy PolicyTerms & Conditions
momentummedia media
most innovative companies awards

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

CATEGORIES

STAY CONNECTED

Copyright © 2024 MOMENTUMMEDIA