In February 2024, Microsoft patched a critical bug in Windows called CVE-2024-26185, known as the *Windows Compressed Folder Tampering Vulnerability*. This flaw lets attackers mess with ZIP files in a way that could let them overwrite or replace files outside the ZIP folder—without you even knowing.
Let's break down how this vulnerability works, how attackers might use it, and what you can do to stay safe.
What is CVE-2024-26185?
This bug deals with how Windows handles compressed folders (usually ZIP files) in File Explorer. Normally, when you drag files out of a ZIP, Windows extracts them cleanly. But due to CVE-2024-26185, a crafty attacker can trick Windows into extracting files anywhere on your system—not just to the folder you picked.
Microsoft’s official writeup:
Microsoft Security Update Guide – CVE-2024-26185
The classic attack goes like this
1. Craft a malicious ZIP file with files that have special names (using tricky path references like ..\..\).
Suppose an attacker creates a ZIP file with a file path that goes up several directories, like this
my-malicious.zip
|
|--- ..\..\..\Windows\System32\notepad.exe (malicious version)
When you extract this ZIP using Windows Explorer, Windows should stop you from writing into protected areas like System32. But with this bug, in some cases, those restrictions can be bypassed, and files can end up where the attacker wants.
Here’s a quick way to make such a ZIP
import zipfile
with zipfile.ZipFile("evil.zip", "w") as zipf:
# "..\\..\\evil.bat" will try to escape extraction folder
zipf.writestr("..\\..\\evil.bat", "malicious code here")
This ZIP places evil.bat *two levels up* when someone extracts it in Windows Explorer.
Why Is This Bad?
- Tampering/Overwriting Files: Attackers might overwrite your files or put bad scripts in places that run on startup.
How Dangerous Is It?
Very! If you run extractions as a user with admin rights, the attacker could replace system files. Even as a normal user, they might hit your startup folder or overwrite your personal files.
Microsoft marked this vulnerability as Important. (It’s not marked as “critical” only because it needs user action to open and extract the ZIP.)
Other technical references:
- ZDI advisory: ZDI-24-278
- NIST NVD entry
Sample Exploit Step-By-Step
1. Create a dangerous ZIP: With a tool, script, or ZIP software that allows file paths, make entries like ..\..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\badfile.bat.
Payload lands in the Startup folder. Next time the computer boots, it runs automatically.
Mitigation is hard without a patch! Antivirus might catch *some* known payloads, but not the bug itself.
How Do You Stay Safe?
- Install Windows Updates: Microsoft patched this in their February 2024 security updates. Check here.
Summary Table
| Exploit Type | Required User Action | Impact |
|-------------------------- |-----------------------------------|------------------------------------------|
| Malicious ZIP extraction | User must extract ZIP via Explorer | Files placed or overwritten out-of-place |
Exclusive Tip
If you want to check if your system is vulnerable (before applying patches), simply extract a ZIP file with files containing lots of ..\\ or ../ in the path. If you see files appearing outside the folder where you extracted, *you're at risk!*
Conclusion
CVE-2024-26185 is a clear reminder: even simple tools like Windows’ built-in ZIP handler can carry dangerous bugs. Always patch your system, be careful with files from untrusted sources, and consider using third-party tools for handling archives.
References
- Microsoft Security Update Guide – CVE-2024-26185
- Zero Day Initiative - ZDI-24-278
- NIST National Vulnerability Database - CVE-2024-26185
*Written exclusively for you. Please share to keep others informed!*
Timeline
Published on: 03/12/2024 17:15:57 UTC
Last modified on: 03/12/2024 17:46:17 UTC