Windows has fixed a bug that prevented Mark of the Web flags from propagating to files within downloaded ISO files, dealing a massive blow to malware distributors and developers. For those unfamiliar with Mark of the Web (MoTW), it is a Windows security feature that flags files originating from the Internet so that they are tagged as suspicious by the operating system and installed applications.
When attempting to open a file with a Mark of the Web flag, Windows will display a security warning that the file should be treated with caution.
“While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software,” reads the warning from Windows.
Microsoft Office also uses the MoTW flag to determine if the file should be opened in Protected View, causing a warning to be displayed and for macros to be disabled.
Microsoft fixes Mark of the Web in ISOs
As part of the November Patch Tuesday updates, Microsoft fixed numerous vulnerabilities that allowed threat actors to craft files that can bypass the Mark of the Web security feature.
Included in the updates was an unexpected fix for a bug that threat actors commonly abuse in phishing campaigns. According to Bill Demirkapi, an engineer in Microsoft MSRC’s Vulnerability and Mitigations team, a bug was fixed that prevented the MoTW flag from propagating to files inside an ISO disk image.
For some time, threat actors have been distributing ISO disk images as attachments in phishing campaigns to infect targets with malware.
Since Windows 8, it is possible to open an ISO file by double-clicking on it, causing Windows to mount it as a DVD drive under a new drive letter.
While a downloaded or attached ISO file will contain the Mark of the Web and issue a warning when opened, the bug caused the MoTW flag not to be propagated to non-Microsoft Office file types, such as Windows Shortcuts (LNK files).Therefore, if a user opens an ISO attachment and double-clicks the enclosed LNK file, it will run automatically without Windows displaying a security warning, as demonstrated below.
Read more about this at bleepingcomputer.com