- May 4, 2019
- 801
An update was added to the end of the article explaining that any Authenticode-signed file, including executables, can be modified to bypass warnings.
A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.
Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.
The MoTW flag is added to a downloaded file or email attachment as a special Alternate Data Stream called 'Zone.Identifier,' which can be viewed using the 'dir /R' command and opened directly in Notepad, as shown below.
Exploited Windows zero-day lets JavaScript files bypass security warnings
A new Windows zero-day allows threat actors to use malicious JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.
www.bleepingcomputer.com