Unofficial fix emerges for Windows bug abused to infect home PCs with ransomware

A cybersecurity firm has issued another unofficial patch to squash a bug in Windows that Microsoft has yet to fix, with this hole being actively exploited to spread ransomware.

Rewind to October 17, and Acros Security released a small binary patch to address a flaw in Microsoft’s Mark-of-the-Web (MotW) feature. This feature is supposed to set a flag in the metadata for files obtained from the internet, USB sticks, and other untrusted sources. This flag ensures that when those files are opened, extra security protections kick in, such as Office blocking macros from running or the operating system checking that the user really did want to run that .exe.

It turns out it’s possible to bypass this feature, and have files downloaded from the web not carry the MotW flag, thus side-stepping all those protections when opened. Specifically, an attacker could prevent Windows from putting the MotW flag on files extracted from a ZIP archive obtained from an untrusted source. This can be exploited by miscreants to lure marks into opening ZIP archives, and running malicious software within without tripping the expected security protections. The bug was highlighted months ago by Will Dormann, a senior vulnerability analyst at Analygence.

Microsoft has yet to fix this oversight. IT watcher Kevin Beaumont on October 10 said the bug was now being exploited in the wild. Acros put out a micropatch about a week later that can be applied to close this hole while you wait for Redmond to catch up.


Now Acros has emitted another patch that addresses a related MotW security hole in Windows that Microsoft again has not yet fixed.