A significant new security vulnerability, dubbed FileFix, has been identified, demonstrating a method to bypass Windows’ crucial Mark-of-the-Web (MoTW) security feature. This bypass specifically targets JScript files, allowing malicious scripts downloaded from the internet to potentially execute without triggering the standard security warnings that users rely on.
The Mark-of-the-Web is a vital Windows component designed to protect users by flagging files downloaded from untrusted sources, primarily the internet. When a file is downloaded, Windows attaches a zone identifier (a small piece of metadata) indicating its origin. This causes security features like Protected View or security warnings to activate when the user tries to open or run the file.
However, the FileFix attack exploits a loophole in how Windows processes certain file operations and zone identifiers. By employing a clever technique, attackers can manipulate or remove the MoTW flag from a downloaded JScript (.js or .jse) file. This effectively tricks the operating system into believing the script is a local file or comes from a trusted zone, bypassing the security checks.
The consequence is serious: a downloaded malicious JScript can then run with the same permissions as if it were created locally, without any security prompt or warning to the user. This opens the door for attackers to execute arbitrary code, install malware, steal sensitive information, or take control of the system, leveraging the fact that the initial download step, usually mitigated by MoTW, is now less risky for the attacker.
The discovery of FileFix underscores the ongoing challenges in securing operating systems against sophisticated attacks that exploit subtle system behaviors. It highlights the need for continued vigilance and potentially new approaches to ensure downloaded content is always handled securely, even when attackers attempt to manipulate file metadata. This bypass makes carefully crafted JScript files a renewed threat vector that users and organizations need to be aware of.
Source: https://www.bleepingcomputer.com/news/security/new-filefix-attack-runs-jscript-while-bypassing-windows-motw-alerts/
