Mark of the Web

Last updated

The Mark of the Web (MoTW) is an identifier used by Microsoft Windows to mark files downloaded from the Internet as potentially unsafe. It is implemented as an NTFS Zone.Identifier alternate data stream (ADS) containing an identifier element which indicates (with the "Mark") that a file saved on a computer could contain harmful or malicious content because it was downloaded from an external source ("the Web"). [1] [2]

Contents

The Mark of the Web can also be added as an HTML comment inserted by a web browser when downloading an HTML document from the Internet, noting the URL the document was saved from. [3]

Effects

Windows warns users attempting to open a Web-marked file that it was downloaded from the Internet and could be harmful; the user can opt either to continue or cancel execution. [2] Unless overridden by user action the mark prevents macros from running in Microsoft Office files. [4] [5] Visual Studio projects created with Web-marked files cannot be built or executed. [6]

Some archiving software propagates the MoTW from the archive itself to files extracted from it, preventing its security protection being bypassed by malware distributed within an archive. [7] [8]

Bypasses

There have been Windows vulnerabilities, some of which have been corrected by a patch, that allow the Mark of the Web to be bypassed by malicious actors. CVE-2022-41091 was added to the National Vulnerability Database on November 8, 2022, and refers to the now patched ability of a malicious actor to avoid files downloaded from the Internet being Web-marked. [9] [10] Other vulnerabilities (CVE-2022-44698, patched in December 2022; [11] CVE-2023-36584, patched in October 2023) [12] allowed malicious actors to bypass the restrictions of the mark without removing it.

An attacker may also use social engineering to convince a target user to unblock the file by right-clicking it and changing the file properties. [13]

Related Research Articles

<span class="mw-page-title-main">Internet Explorer</span> Web browser series by Microsoft

Internet Explorer is a retired series of graphical web browsers developed by Microsoft that were used in the Windows line of operating systems. While IE has been discontinued on most Windows editions, it remains supported on certain editions of Windows, such as Windows 10 LTSB/LTSC. Starting in 1995, it was first released as part of the add-on package Plus! for Windows 95 that year. Later versions were available as free downloads or in-service packs and included in the original equipment manufacturer (OEM) service releases of Windows 95 and later versions of Windows. Microsoft spent over US$100 million per year on Internet Explorer in the late 1990s, with over 1,000 people involved in the project by 1999. New feature development for the browser was discontinued in 2016 and ended support on June 15, 2022 for Windows 10 Semi-Annual Channel (SAC), in favor of its successor, Microsoft Edge.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provides security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

<span class="mw-page-title-main">Microsoft Defender Antivirus</span> Anti-malware software

Microsoft Defender Antivirus is an antivirus software component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.

The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a security vulnerability in the way some versions of the Microsoft Windows operating system handled images in the Windows Metafile format. It permits arbitrary code to be executed on affected computers without the permission of their users. It was discovered on December 27, 2005, and the first reports of affected computers were announced within 24 hours. Microsoft released a high-priority update to eliminate this vulnerability via Windows Update on January 5, 2006. Attacks using this vulnerability are known as WMF exploits.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

SmartScreen is a cloud-based anti-phishing and anti-malware component included in several Microsoft products:

The Java software platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

PLATINUM is the name given by Microsoft to a cybercrime collective active against governments and related organizations in South and Southeast Asia. They are secretive and not much is known about the members of the group. The group's skill means that its attacks sometimes go without detection for many years.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

SMBGhost is a type of security vulnerability, with wormlike features, that affects Windows 10 computers and was first reported publicly on 10 March 2020.

The Microsoft Support Diagnostic Tool (MSDT) is a legacy service in Microsoft Windows that allows Microsoft technical support agents to analyze diagnostic data remotely for troubleshooting purposes. In April 2022 it was observed to have a security vulnerability that allowed remote code execution which was being exploited to attack computers in Russia and Belarus, and later against the Tibetan government in exile. Microsoft advised a temporary workaround of disabling the MSDT by editing the Windows registry.

Agent Tesla is a remote access trojan (RAT) written in .NET that has been actively targeting users with Microsoft Windows OS-based systems since 2014. It is a versatile malware with a wide range of capabilities, including sensitive information stealing, keylogging and screenshot capture. Since its release, this malicious software has received regular updates. It is sold as a malware-as-a-service, with several subscription options available for purchase. Campaigns involving Agent Tesla often start with phishing emails, masquerading as legitimate messages from trusted sources.

WinShock is computer exploit that exploits a vulnerability in the Windows secure channel (SChannel) module and allows for remote code execution. The exploit was discovered in May 2014 by IBM, who also helped patch the exploit. The exploit was present and undetected in Windows software for 19 years, affecting every Windows version from Windows 95 to Windows 8.1

References

  1. Abrams, Lawrence (10 November 2022). "Microsoft fixes Windows zero-day bug exploited to push malware". BleepingComputer.
  2. 1 2 Lawrence, Eric (2016-04-04). "Downloads and the Mark-of-the-Web". text/plain. Retrieved 2024-01-09.
  3. kexugit (2011-03-23). "Understanding Local Machine Zone Lockdown". Microsoft Learn. Retrieved 2024-01-09.
  4. "Macro Security for Microsoft Office". National Cyber Security Center (NCSC). 3.0. 11 October 2023 [21 February 2019].
  5. nicholasswhite (2023-12-14). "Macros from the internet are blocked by default in Office - Deploy Office". Microsoft Learn. Retrieved 2024-01-09.
  6. Nagel, Eric (2019-08-26). "Remove the Mark of the Web: Visual Studio 2019 Build Error". Eric Nagel. Retrieved 2024-01-09.
  7. Wixey, Matt (12 October 2022). "Are threat actors turning to archives and disk images as macro usage dwindles?". Sophos News. Retrieved 28 February 2024.
  8. Boyd, Christopher (21 June 2022). "7-Zip gets Mark of the Web feature, increases protection for users". Malwarebytes.
  9. "CVE-2022-41091". NIST National Vulnerability Database. Retrieved 2024-01-09.
  10. "Windows Mark of the Web Security Feature Bypass Vulnerability". Microsoft MSRC. 2022-11-08. Retrieved 2024-01-09.
  11. "CVE-2022-44698". NIST National Vulnerability Database. Retrieved 2024-01-09.
  12. "CVE-2023-36584". NIST National Vulnerability Database. 2023-10-10. Retrieved 2024-06-18.
  13. Hegt, Stan (2020-03-30). "Mark-of-the-Web from a Red Team's Perspective". Outflank. Retrieved 2024-06-19.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.