Free Micropatches For Bypassing "Mark of the Web" on Unzipped Files ("ZippyReads" / CVE-2022-41049)

 

by Mitja Kolsek, the 0patch Team

Update 11/8/2022: This issue, nicknamed "ZippyReads", got an official fix with November 2022 Windows Updates which assigned it CVE-2022-41049. Our micropatches for it are therefore no longer free and require a PRO or Enterprise license. Details have also been published.

 

In May, security researcher Will Dormann found a vulnerability in Windows that allows an attacker to prevent Windows from setting the "Mark of the Web" flag on files extracted from a ZIP archive, even if the ZIP archive came from an untrusted source such as Internet, email, or a USB key.

Mark of the Web (MOTW) is an important security mechanism in Windows:

• Windows will show a security warning before launching an executable file with MOTW;
• Smart App Control only works on files with MOTW (source);
• Microsoft Office blocks macros on documents with MOTW (source).

 

Attackers therefore understandably prefer their malicious files not being marked with MOTW; this vulnerability allows them to create a ZIP archive such that extracted malicious files will not be marked.

Will has notified Microsoft about this issue in July, but an official fix has not been provided yet. Meanwhile, the vulnerability is apparently being exploited in the wild.

We're happy to report that we've just issued micropatches for this vulnerability, and are - according to our guidelines - providing it free of charge until Microsoft has issued their official fix. 

We will not provide details on the vulnerability at this point.

 

Our Micropatch In Action

The video below shows our micropatch in action. With 0patch disabled (and the micropatch therefore not applied), an executable file in a ZIP archive that is marked with MOTW executes without a warning, because the file itself is not marked with MOTW upon extraction. With our micropatch in place, the extraction code is corrected and properly applies the MOTW to the extracted file - which results in the security warning being shown to the user.

Similarly, an attacker could deliver Word or Excel files in a downloaded ZIP that would not have their macros blocked due to the absence of the MOTW (depending on Office macro security settings), or would escape the inspection by Smart App Control.

Micropatch Availability

Since this is a "0day" vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available.

Micropatches were written for: 

1. Windows 11 v21H2
   
2. Windows 10 v21H2
   
3. Windows 10 v21H1
   
4. Windows 10 v20H2
   
5. Windows 10 v2004
6. Windows 10 v1909
7. Windows 10 v1903
8. Windows 10 v1809
9. Windows 10 v1803
10. Windows 7 with or without ESU
    
11. Windows Server 2022
12. Windows Server 2019 
13. Windows Server 2016
14. Windows Server 2012
15. Windows Server 2012 R2
16. Windows Server 2008 R2 with or without ESU

 

These micropatches have already been distributed to all online 0patch Agents. If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, please visit our Help Center.