### #0patch #WindowsSecurity #MotWVulnerability
Summary: Unofficial security patches have been released by 0patch to address a zero-day vulnerability in the Windows Mark of the Web (MotW) mechanism, which has been present for over two years. This flaw allows attackers to bypass security checks on certain file types, potentially leading to malware installation.
Threat Actor: Unknown | Unknown
Victim: Windows Server 2012 and 2012 R2 | Windows Server 2012
Key Point :
- 0patch has released free micropatches for Windows Server 2012 and 2012 R2 to mitigate a zero-day vulnerability.
- The vulnerability allows attackers to bypass Mark of the Web security checks on certain file types downloaded from the Internet.
- This flaw has remained undetected for over two years, affecting even fully updated servers with Extended Security Updates.
- Users can install these micropatches easily by registering for a 0patch account and installing the agent.
- ACROS Security will withhold further details until Microsoft provides official patches for the vulnerability.
Free unofficial security patches have been released through the 0patch platform to address a zero-day vulnerability introduced over two years ago in the Windows Mark of the Web (MotW) security mechanism.
Windows automatically adds Mark of the Web (MotW) flags to all documents and executables downloaded from untrusted sources. These MotW labels inform the Windows operating system, Microsoft Office, web browsers, and other applications that the file should be treated cautiously.
As a result, users are warned that opening such files could lead to potentially dangerous behavior, such as installing malware on their devices.
According to Mitja Kolsek, co-founder of the 0patch micropatching service, this flaw can let attackers prevent Windows from applying (MotW) labels on some file types downloaded from the Internet.
“Our researchers discovered a previously unknown vulnerability on Windows Server 2012 and Server 2012 R2 that allows an attacker to bypass a security check otherwise enforced by Mark of the Web on certain types of files,” said Mitja Kolsek, co-founder of the 0patch micropatching service.
“Our analysis revealed this vulnerability was introduced to Windows Server 2012 over two years ago, and remained undetected – or at least unfixed – until today. It is even present on fully updated servers with Extended Security Updates.”
ACROS Security, the company behind 0Patch, will withhold information on this vulnerability until Microsoft releases official security patches that block potential attacks targeting vulnerable servers.
These unofficial patches are available for free for both legacy Windows versions and fully updated ones:
- Windows Server 2012 updated to October 2023
- Windows Server 2012 R2 updated to October 2023
- Windows Server 2012 fully updated with Extended Security Updates
- Windows Server 2012 R2 fully updated with Extended Security Updates
To install these micropatches on your Windows Server 2012 systems, register a 0patch account and install its agent. If there are no custom patching policies to block them, they will be deployed automatically after launching the agent (without requiring a system restart).
“Vulnerabilities like these get discovered on a regular basis, and attackers know about them all,” Kolsek added today.
“If you’re using Windows that aren’t receiving official security updates anymore, 0patch will make sure these vulnerabilities won’t be exploited on your computers – and you won’t even have to know or care about these things.”
A Microsoft spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.