CVE-2023-36584 - How Attackers Can Bypass Windows Mark of the Web (MotW) Security and What It Means for You

---

What Is CVE-2023-36584?

In late 2023, security researchers uncovered a new vulnerability labeled CVE-2023-36584. It affects Windows’ Mark of the Web (MotW) protection—a feature designed to warn or block users from opening files downloaded from the internet. By exploiting this flaw, attackers can trick Windows into ignoring MotW, letting malicious code run without warnings.

This isn't just theoretical: Proof-of-concept demonstrations already exist, and attackers in the wild have started using this technique.

Background: What Is Mark of the Web?

When you download a file (like a Word doc or a ZIP archive) from the internet, Windows adds a hidden marker ("Zone.Identifier" Alternate Data Stream) to the file. When you try to open it, programs like Explorer, Office, or Edge check that marker and warn you if the file’s from an untrusted source.

*This is known as “Mark of the Web” (MotW), and it’s a key defense against malware delivered by email or web downloads.*

What’s the Problem in CVE-2023-36584?

CVE-2023-36584 is a *security bypass*. Attackers found a way to craft special files that slip past MotW checks. That means a file that should trigger a security warning might instead open as if it’s safe.

How? By embedding a malicious file inside certain legitimate file types and leveraging how Windows handles some file formats within archives, attackers can trick Windows (and apps like Microsoft Office) into ignoring MotW tags.

Demonstration: Simple Exploit Example

Here’s an example using .CAB files (Microsoft Cabinet archives), one of the vectors identified for this vulnerability.

Step 1: Create a Malicious .hta File

This could be any harmful script; here’s a harmless sample.

<!-- evil.hta -->
<script>
    alert('Your PC has been compromised!');
</script>

Step 2: Package It Inside a .CAB File

makecab evil.hta evil.cab

Step 3: Deliver to the Victim

Attacker uploads evil.cab to a website or sends via email. When the victim downloads and extracts the evil.hta file from the CAB:

Expected: The file gets a MotW marker, and Windows warns when opened.

- Exploited: Due to CVE-2023-36584, MotW is *not* applied. Opening evil.hta launches it *without* any warning.

Why?

Windows doesn’t properly apply the zone identifier to files extracted from some archive formats, especially if attackers use complex file structures or metadata tricks.

A real-world PoC using Python

# Compiles a malicious .hta into a CAB
import os

hta_content = "<script>alert('You are hacked!');</script>"
with open("evil.hta", "w") as f:
    f.write(hta_content)

os.system("makecab evil.hta evil.cab")
print("evil.cab created. Distribute to victim.")

What Are Attackers Doing With This?

- Sending Phishing Emails: With weaponized ZIP or CAB archives that drop unmarked executables or scripts.
- Bypassing Office Warnings: Embedding malicious macros or scripts in documents that normally trigger MotW blocks.

Mitigation and Recommendations

1. Update Windows: Microsoft released a patch for CVE-2023-36584 in the October 2023 Patch Tuesday updates. *Always apply the latest security patches!*
2. Beware of Unexpected Files: Be cautious when opening email attachments or files from the web, especially archives.
3. Disable Unwanted Script File Types: Block .hta, .js, or other scripting formats at endpoint security or mail gateway if possible.
4. Educate Users: Inform users about the risk of “disabling security features” or “ignoring warnings.”
5. Monitor for Suspicious Extracted Files: Use EDR tools to track when untrusted archives are extracted and mark or block them.

References & Further Reading

- Microsoft Security Advisory – CVE-2023-36584
- Google Project Zero Post — MotW Security Bypass Attacks
- Naked Security – Mark-of-the-Web attacks
- Bleeping Computer: Zero-day exploited to bypass Mark-of-the-Web in Windows

Bottom Line

CVE-2023-36584 is a serious weakness for every Windows user and admin. It gives attackers a way around a major safety feature. The fix: patch Windows ASAP and remain cautious—even “normal-looking” files from the internet can be dangerous when MotW doesn't work as expected.

Stay safe, stay patched!

If you want detailed PoC scripts or advice on detection rules for this CVE, let us know in the comments below.

Timeline

Published on: 10/10/2023 18:15:14 UTC
Last modified on: 10/13/2023 19:07:41 UTC