CVE CyberSecurity Database News

CVE-2022-41091 - Breaking Down the Windows Mark of the Web (MotW) Security Bypass Vulnerability

Poster -

---

Windows users and system administrators rely on built-in protections to help catch malicious files before they can run. One powerful security barrier is the "Mark of the Web" (MotW), which flags files as coming from the internet. But in late 2022, security researchers discovered a vulnerability – CVE-2022-41091 – that bad actors were exploiting to bypass this important protection. Let’s dive in so you can understand what it is, how it works, and see some practical (but safe!) code showing just what happens.

What is the Mark of the Web (MotW)?

Mark of the Web is a small piece of metadata added by Windows and many browsers to files downloaded from the internet. Here’s how it works:

- If a file *could* be dangerous (like a Word document or archived installer), the system adds a hidden alternate data stream (ADS) named Zone.Identifier to it.
- When a user tries to open this file, Windows or Office shows warnings or might restrict file activity.

This simple trick is a big part of what helps block phishing and malware attacks that sneak through downloads.

What Happened with CVE-2022-41091?

CVE-2022-41091 is a vulnerability that allows attackers to package dangerous files (like Windows shortcuts or scripts) inside certain archival file formats so that MotW isn’t applied when unpacked. The system then treats these files as if they are safe — even if they came from a dangerous source!

Important: This is different from CVE-2022-41049, which deals with a related but separate Windows security vulnerability.

How Does the Exploit Work?

The most popular approach used to abuse this vulnerability uses .CAB files or specially crafted ZIP files with an incorrect directory structure.

- When unpacked with Windows tools like Explorer.exe, these tools extract the dangerous file without applying the MotW flag.
- As a result, a user who double-clicks the file won’t see the usual warning, and malware can run freely.

Exploit Example: A Simple .CAB Archive

A classic payload for this exploit is a Microsoft Cabinet (.CAB) archive containing a LNK (shortcut) file pointing to malware.

> Note: Never run or open unknown CAB or LNK files unless you know they are safe!

1. Create a regular LNK file (malicious or benign for demo)

$ws = New-Object -ComObject WScript.Shell
$shortcut = $ws.CreateShortcut("payload.lnk")
$shortcut.TargetPath = "notepad.exe"
$shortcut.Save()

Now, add this .lnk into a CAB file

makecab payload.lnk payload.cab

2. Download and Unpack

When this .cab archive is downloaded from the internet, extracting it with Windows Explorer will not trigger MotW for payload.lnk inside.

Contrast this with a regular .zip file (not abusing the bug)

- If you zip payload.lnk, browsers and tools properly tag the extracted file with MotW, and you see a warning on execution.

LNK and script files meant to auto-download additional threats when clicked.

Attackers love this approach because it’s simple and effective — it literally lets them waltz past warnings meant to save the day.

Microsoft published the official advisory and guidance here

- Microsoft Security Response Center: CVE-2022-41091
- Microsoft Blog (November 2022) - "Windows Mark of the Web bypass"

A patch was rolled out as part of the November 2022 Patch Tuesday updates. All Windows users should ensure they are fully updated.

Want to know if a file has the MotW? Try this PowerShell script

$file = "payload.lnk"
if (Get-Content "$file:Zone.Identifier" -ErrorAction SilentlyContinue) {
    Write-Host "MotW is present."
} else {
    Write-Host "MotW is missing!"
}

If you extract a .lnk from a maliciously-crafted .cab, this check will show no MotW, meaning the exploit worked.

Summary

CVE-2022-41091 is a striking example of how attackers abuse minor oversights in file processing to defeat user protections. By mastering the details, system admins and users can better defend against sneaky malware and keep their systems safe.

*Original References:*

- Official CVE advisory
- CERT/CC Vulnerability Note VU#605641
- Will Dormann's Demo (Twitter thread)

Timeline

Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/10/2022 00:33:00 UTC