Mark of the Web

Add links
From Wikipedia, the free encyclopedia


The Mark of the Web (MoTW) is the name often used for the Microsoft NTFS ADS Zone.Identifier alternate data stream used to mark files downloaded from the Internet as potentially unsafe. The ADS contains an identifier element which indicates (with the "Mark") that a file saved on a computer could contain harmful or malicious content because it was downloaded from an external source ("the Web").[1][2] The mark of the web may also refer to an HTML comment inserted by a web browser when downloading an HTML document from the internet noting the url of origin.[3]

Effects[edit]

Because it is a feature of NTFS, the mark of the web only affects files opened on computers running the Microsoft Windows operating system.[4] Windows warns a user running a Web-marked executable file that it had been downloaded from the Internet and could be harmful; the user can opt either to continue or cancel execution.[2] Unless overridden by user action the mark prevents macros from running in Microsoft Office files,[5][4] and Visual Studio projects created with Web-marked files cannot be built or executed.[6]

Some archiving software propagates the MoTW from the archive itself to files extracted from it, preventing the security from being bypassed by distributing malware as archive members.[7][8]

Malicious bypasses[edit]

There have been Windows vulnerabilities, some of which have been corrected by a patch, that allow the mark of the web to be bypassed by malicious actors. CVE-2022-41091 was added to the National Vulnerability Database on November 8, 2022, and refers to the now patched ability of a malicious actor to avoid files downloaded from the Internet being Web-marked.[9][10] Other vulnerabilities (CVE-2022-44698, patched in December 2022;[11] CVE-2023-36584, patched in October 2023)[12] allowed malicious actors to bypass the restrictions of the mark without removing it.

References[edit]

  1. ^ Abrams, Lawrence (10 November 2022). "Microsoft fixes Windows zero-day bug exploited to push malware". BleepingComputer.
  2. ^ a b "Downloads and the Mark-of-the-Web". text/plain. 2016-04-04. Retrieved 2024-01-09.
  3. ^ kexugit (2011-03-23). "Understanding Local Machine Zone Lockdown". learn.microsoft.com. Retrieved 2024-01-09.
  4. ^ a b nicholasswhite (2023-12-14). "Macros from the internet are blocked by default in Office - Deploy Office". learn.microsoft.com. Retrieved 2024-01-09.
  5. ^ "Macro Security for Microsoft Office". National Cyber Security Center (NCSC). 3.0. 21 February 2019 [Reviewed 11 October 2023].
  6. ^ "Remove the Mark of the Web: Visual Studio 2019 Build Error". Eric Nagel. 2019-08-26. Retrieved 2024-01-09.
  7. ^ Wixey, Matt (12 October 2022). "Are threat actors turning to archives and disk images as macro usage dwindles?". Sophos News. Retrieved 28 February 2024.
  8. ^ Boyd, Christopher (21 June 2022). "7-Zip gets Mark of the Web feature, increases protection for users". Malwarebytes.
  9. ^ "NVD - CVE-2022-41091". nvd.nist.gov. Retrieved 2024-01-09.
  10. ^ "Security Update Guide - Microsoft Security Response Center". msrc.microsoft.com. Retrieved 2024-01-09.
  11. ^ "NVD - CVE-2022-44698". nvd.nist.gov. Retrieved 2024-01-09.
  12. ^ "CVE-2023-36584". National Vulnerability Database (NVD). 13 October 2023.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Mark_of_the_Web&oldid=1216555428"