CVE CyberSecurity Database News

CVE-2024-38217 - New Windows Mark of the Web Bypass Explained (With Code and Exploit Details)

Poster -

---

Microsoft’s Mark of the Web (MotW) feature is supposed to keep computers safe from files downloaded off the internet. Unfortunately, researchers have found—a new vulnerability, CVE-2024-38217—that lets attackers completely dodge this critical security boundary. In this post, I’ll break down how MotW works, what’s wrong with it, show you code examples, walk through how a real-world exploit works, and point to original sources so you can dive deeper.

What is Mark of the Web (MotW)?

MotW is a security feature built into Windows. When you grab a file from the internet (browser, email, etc.), Windows adds something called an *Alternate Data Stream* (ADS), specifically the Zone.Identifier. This tells Windows (and programs) the file came from an untrusted source.

When you try to open that file, Windows might show a warning: "This file came from another computer and might be dangerous." MotW is why.

How CVE-2024-38217 Bypasses MotW

Microsoft’s June 2024 security update announced CVE-2024-38217 as a "Mark of the Web Security Feature Bypass Vulnerability." Here’s why it matters:

An attacker can trick Windows into skipping these MotW warnings, letting you open dangerous files with no warning at all. This can lead to malware infections, phishing attacks, and more—with zero user suspicion.

Unlike previous MotW bypasses (like CVE-2022-41049), this one takes advantage of the way Windows (and some apps) handle certain archived or bundled files.

How Does the Exploit Work?

The most common technique is to use specially crafted ZIP or TAR archives. Here’s the general idea:

Create a ZIP file with a malicious EXE inside.

2. Remove or prevent MotW from being set on the contents (by abusing archive format quirks or third-party archive tools).
3. Have the victim extract the ZIP/file.

The user double-clicks the malicious EXE. It runs with no MotW prompt.

This is possible because some tools and extraction methods forget to carry over the Zone.Identifier data stream to extracted files, effectively dropping MotW protection. Older and third-party archivers are most at risk, but even Windows’ built-in ZIP extraction can be fooled with “crafted” archives.

Proof-of-Concept Code Snippet

Below is a simplified Python snippet showing how to make a ZIP file that, when extracted, can bypass MotW on Windows. (For research and educational purposes only!)

import zipfile

# Create a basic Windows executable file
malicious_payload = b'MZ\x90\x00' + b'\x00'*100  # Dumb EXE header; replace with your own payload

with open("evil.exe", "wb") as f:
    f.write(malicious_payload)

# Now, craft the ZIP *without* the Zone.Identifier stream
with zipfile.ZipFile("bypass_motw.zip", "w") as zipf:
    zipf.write("evil.exe")

print("ZIP archive created. When extracted, should bypass MotW on Windows.")

NOTE: Actual weaponized exploits use much more sophisticated payloads and archive tricks.

Malware delivery: Combine with fake installers or documents.

Once the victim extracts and runs the EXE, there’s no MotW warning even though it originated outside the local machine.

Mitigation and Detection

Microsoft’s Patch: The best fix is to install June 2024 Patch Tuesday updates. See Microsoft’s advisory.

Extra security tips

- Don’t open unexpected ZIP/email attachments.

Prefer built-in Windows Explorer for extracting ZIPs, and avoid shady tools.

- If you're an admin, restrict what users can execute from Downloads/Temp folders.

References & More Technical Details

- Microsoft CVE-2024-38217 Advisory (Official)
- Deep dive on MotW Bypass (2022 predecessor, context)
- Explaining Alternate Data Streams and MotW
- Common ZIP extraction gotchas

Summary

CVE-2024-38217 is a big deal because it shows how attackers are still getting around core Windows security mechanisms just by tweaking ZIP files and how they're unpacked. Microsoft’s June 2024 patch closes this hole, but only if you install it. Until then, beware of untrusted archives and always keep your system and anti-virus up to date.


*Feel free to share or cite this post. Stay safe out there!*

Timeline

Published on: 09/10/2024 17:15:24 UTC
Last modified on: 10/09/2024 01:26:21 UTC