Banana peels ahead warning

Malformed signature trick can bypass Mark of the Web

Mark of the Web (MOTW)—the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet—is back in the news, but unfortunately not in a good way.

Bleeping Computer reports that a recently uncovered (but somewhat old) bug has been unearthed which helps people with bad intentions to leapfrog MOTW alerts. This has, apparently, already been observed in ransomware attacks.

MOTW was originally an Internet Explorer security feature. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from who-knows-where. Over time, it even contributed to preventing certain types of files from running. It’s a versatile, helpful thing. We most recently talked about it when 7-Zip decided to support MOTW.

If you open a file flagged with MOTW, at the bare minimum you should see one of several messages, depending on if you’re looking at file properties, or attempting to open a file which you’ve downloaded. It might be this:

This file came from another computer and might be blocked to help protect this computer.

Alternatively, you might see this one instead:

While files from the internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software.

Microsoft Office will also use MOTW as a way of deciding if Protected View activates.

Bypassing MOTW

It seems that signed files are the key to this conundrum. Files can be cryptographically signed in order to confirm who created them, and to confirm that they have not been changed since they were signed. (As Microsoft points out, this doesn’t assert that a file is safe, only that it has not been tampered with.)

So far, so good. How does this result in MOTW bypasses, though? Well, first of all it seems this has been an issue for several years. To be more specific, this probably became a bug around the release of Windows 10.

The problem is that a malformed signature results in the various possible warnings to notify of bad times ahead going AWOL. You will simply never see them:

According to an interview with Will Dormann on Bleeping Computer, the problem appears to be related to SmartScreen, introduced in Windows 10.

It’s never a good thing when malware authors are able to turn security features on their head and use them against the people sitting in front of their device. Making yourself less safe by disabling a setting like SmartScreen just to ensure you see a warning that you should see anyway, and is also supposed to keep you safe, isn’t a trade off that anyone should need to make. Fingers crossed that this one is resolved as soon as possible.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.