Alleged Windows Zero-Day Exploited in the Wild to Bypass Security Warnings via JavaScript Files

A new Windows zero-day vulnerability allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings.
Alleged Windows Zero-Day Exploited in the Wild to Bypass Security Warnings via JavaScript Files

Context

On October 22, 2022, Bleeping Computer reported the technical details of a new Windows zero-day vulnerability that “allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings.” Bleeping Computer assesses that the zero-day was leveraged by ransomware threat actors to deliver the Magniber ransomware in a recent campaign.

Technical Details

The vulnerability reportedly exists in the Mark-of-the-Web (MoTW) feature, which flags files downloaded from the Internet as requiring caution.

Vulnerability analyst Will Dorman assessed publicly that the Magniber campaign leveraging the zero-day used a malformed key to sign malicious files impersonating Windows messages. According to Dorman, “When signed in this manner, even though the JS file was downloaded from the Internet and received a MoTW flag, Microsoft would not display the security warning, and the script would automatically execute to install the Magniber ransomware […] Using this technique, threat actors can bypass the normal security warnings shown when opening downloaded JS files and automatically execute the script.”

Dorman also informed Bleeping computer that threat actors can modify any Authenticode-signed file, including executables, to bypass the MoTW security warnings using a hex editor to change some of the bytes in the signature portion of the file.

Note: Microsoft reported to Bleeping Computer that they were unable to recreate the issue but are investigating further.

Mitigation Options

Because Microsoft is currently investigating, there is not currently a patch available for the reported zero-day, but members are encouraged to remain alert for Microsoft updates regarding the issue.

For the Magniber campaign leveraging the zero day, HP researchers provided the following defensive recommendations:

  • Follow the principle of least privilege by only using administrator accounts if you really need to. Many home users have administrator privileges but rarely need them.
  • Download software updates from trusted sources. The campaign depends on tricking people into opening fake software updates. Only download updates from trustworthy sources such as Windows Update and official software vendor websites.
  • Back up your data regularly. Backing up your data will give you peace of mind should the worst happen.

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.