back to article Unofficial fix emerges for Windows bug abused to infect home PCs with ransomware

A cybersecurity firm has issued another unofficial patch to squash a bug in Windows that Microsoft has yet to fix, with this hole being actively exploited to spread ransomware. Rewind to October 17, and Acros Security released a small binary patch to address a flaw in Microsoft's Mark-of-the-Web (MotW) feature. This feature is …

  1. Mike 137 Silver badge

    Relying on the unreliable

    "It turns out it's possible to bypass this feature, and have files downloaded from the web not carry the MotW flag, thus side-stepping all those protections when opened."

    Yet another "security feature" that does not work. There's nothing more dangerous than a supposed protection you take for granted but that does not work. Unless a control can be trusted, it's vastly safer to be aware of a hazard and learn to exercise the requisite caution to protect yourself.

    1. Joe W Silver badge

      Re: Relying on the unreliable

      I'd totally agree, except that users click away any notification windows without reading them. "Yeah, just do that and stop nagging me and give me my [ pron / warez / cracks / whatever ]."

      It is quite hard to train users not to do this, not just blindly follow some links, or download stuff and execute it, or just open any old email attachment. "But I only ran it once" they blurb.

      Security is based on education of users and admins and all involved. I think all of us went through a bunch of virus infections of our machines when we were young, freely sharing stuff with friends on floppy disks, spreading whatever was on there through the whole circle of friends. And boom, some files could no longer be recovered. That taught us... not an awful lot, admittedly, but as we repeated those mistakes we learned. But then we had no internet, the machines did not store all of our lives, there was no online banking, so the damage was limited. We went through it the hard way. Education on these things was very limited, our parents had not much of a clue (well, that's what kids think anyway, in each generation).

      1. Al fazed
        Unhappy

        Re: Relying on the unreliable

        Every day there are thousands of new users coming into the market place. These are people who have never used a PC or Smart phone before. Of course there is a learning curve of things that you can do and those that you really should not.

        This is the bleading edge of computer security. So the basic security messages have to be repeated endlessly if we are not going to miss informing the late entrants.

        I don't believe that it's the same people making the same basic mistakes. Unless you are talking about those Microsoft devels...............

        ALF

        1. Paul Hovnanian Silver badge

          Re: Relying on the unreliable

          "So the basic security messages have to be repeated endlessly if we are not going to miss informing the late entrants."

          I would think that these warnings would repeat for every suspect file, for all of eternity. The last thing I want, as an experienced user, is to miss a popup and think that I'm OK opening something. Because I'm smart and know all this stuff already.

          The easiest people to con are often the highly educated ones.

        2. nijam Silver badge

          Re: Relying on the unreliable

          > So the basic security messages have to be repeated endlessly if we are not going to miss informing the late entrants.

          In effect, to train them to ignore "jobsworth" pop-ups, which is how they'll appear to the user.

      2. OhForF' Silver badge

        Re: Relying on the unreliable

        Security is based on education

        Unfortunately our education system is pretty complacent and unable to keep up with teaching pupils everything necessary to navigate through a modern life without issues. Unless something changed in the last couple of years the curriculum here doesn't even include mandatory courses to teach people blind typing on a standard keyboard - much less basics of using a computer in a secure way.

  2. Anonymous Coward
    Anonymous Coward

    "could not even properly parse them"

    Ah, the programmers trained by the old On Error Next...

    1. OhForF' Silver badge

      Assession VB code

      Reminds of the few times i had to look into other people`s Visual Basic code.

      Usually the first line told you how it would be going:

      i)"Option explicit" - might be able to fix this

      ii)"On error resume next" - abandon all hope ye who enter here

      1. doublelayer Silver badge

        Re: Assession VB code

        At least it was explicitly set in VB so you knew whether to have hope. I had similar problems when reading C code, but it only became clear after reading a chunk to see if this was the kind of user who checked whether the return codes for system calls were valid or just put in the calls and trusted that it would all be fine. Unfortunately, even when a user tended to do that, they could still miss one by mistake and end up having a bug related to missing a necessary error check. There's something to be said for exceptions that require an interruption. Although a poor coder can still silently catch and drop them, this is easier to spot.

  3. Chessel

    Disable Windows script host

    Were there ever any reasons for a Windows Home user to run a .js or .jse file?

    Just set Windows to block it :https://blog.f-secure.com/how-to-disable-windows-script-host/

    I smugly thought I'd already done this, turns out it was on a previous PC. Oops.

  4. TeeCee Gold badge

    Big Game Hunting?

    Victims were told to fetch a ZIP archive that contained a JavaScript file masquerading as an antivirus or Windows software update.

    So, actually Gullible Fuckwit Hunting then?

    Same old, same old. As long as the sort of people who'll happily download or receive anything from any old source and run it are allowed to use computers, this sort of thing will keep happening, despite the best efforts of those who can simultaneously walk and chew bubblegum to prevent it. This is no different to an email with an executable attached in the early '90s.

    Hint: If the luser has the ability to allow privileged execution and will run anything you tell them to, you can easily pwn any machine, anywhere with any OS.

  5. Ace2 Silver badge

    "We ... are investigating to determine the appropriate steps to address the issue."

    You mean, assume MotW is ON if the signature is garbled? That wasn't so hard to determine...

  6. Wolfclaw

    and yet Microsoft expect people to buy subscriptions for an O/S they fail to protect even when given advance warning and being actively exploited.

  7. M.V. Lipvig Silver badge

    The obvious fix

    to people clicking links is a new warning.

    "Clicking on this will likely cause a £1,000.00 charge as it may destroy your system. Yes I have a spare grand or no I don't"

    For work machines,

    "Clicking on this link may be grounds for immediate dismissal and loss of unemployment payments. Ues, fire me or no, I want to keep my job"

    Putting a currency or employment cost instead of a "may cause problems yes or no" alert might make people think twice.

    So far as the hug goes, everything else M$ does crashes randomly even when the checks pass. Why is this failing and still working?

    1. Roland6 Silver badge
      Coat

      Re: The obvious fix

      I presume your fix relies on the MotW security flag being set...

    2. Anonymous Coward
      Anonymous Coward

      Re: The obvious fix

      Ah, you're making the mistake of thinking people even actually *read* these popups....

      All too many don't, or they only read enough of the buttons to find the "Just continue already!" option.

  8. georgezilla

    ....................

    < heavy sigh >

    Fuck.

    < shakes head >

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like