Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit
Two separate vulnerabilities exist in different versions of Windows that allow attackers to sneak malicious attachments and files past Microsoft's Mark of the Web (MOTW) security feature.
Attackers are actively exploiting both issues, according to Will Dormann, a former software vulnerability analyst with CERT Coordination Center (CERT/CC) at Carnegie Mellon University, who discovered the two bugs. But so far, Microsoft has not issued any fixes for them, and no known workarounds are available for organizations to protect themselves, says the researcher, who has been credited with discovering numerous zero-day vulnerabilities over his career.
MotW is a Windows feature designed to protect users against files from untrusted sources. The mark itself is a hidden tag that Windows attaches to files downloaded from the Internet. Files that carry the MotW tag are restricted in what they do and how they function. For example, starting with MS Office 10, MotW-tagged files open by default in Protected View, and executables are first vetted for security issues by Windows Defender before they are allowed to run.