"Unofficial Fix Emerges for Windows Bug Abused to Infect Home PCs With Ransomware"
Acros Security has issued another unofficial patch to address a bug in Windows that Microsoft has not fixed yet, with this vulnerability being actively used to spread ransomware. The cybersecurity firm's small binary patch addresses a vulnerability in Microsoft's Mark-of-the-Web (MotW) feature, which is designed to place a flag in the metadata of files obtained from the Internet, USB sticks, and other untrustworthy sources. This flag ensures that when those files are opened, additional security safeguards are activated, such as Office blocking macros from running or the operating system verifying that the user truly intended to run that .exe. However, it is possible to circumvent this feature and have files downloaded from the Internet not carry the MotW flag, thus bypassing all of the protections when opened. For example, an attacker could prevent Windows from putting the MotW flag on files extracted from an untrusted ZIP archive. Bad actors can use this to trick users into opening ZIP archives and running malicious software without triggering the expected security safeguards. Will Dormann, a senior vulnerability analyst at Analygence, discovered the bug months ago. On October 10, IT watcher Kevin Beaumont reported that the bug was now being exploited in the wild. HP Wolf Security shared a report about a wave of ransomware infections in September that all started with a web download just days before the first patch was released. Victims were instructed to obtain a ZIP archive containing a JavaScript file posing as an antivirus or Windows software update. When the script was executed, it installed Magniber, a ransomware strain aimed at Windows home users. According to HP Wolf Security, it encrypts documents and can extort up to $2,500 from victims in order to restore their data. This article continues to discuss the unofficial patch released by Acros Security to address a flaw in Microsoft's MotW feature.