Difference between revisions of "Mark of the Web"

From MgmtWiki
Jump to: navigation, search
(Context)
(Problems)
Line 62: Line 62:
  
 
==Problems==
 
==Problems==
 +
* 2025-05 [https://assets.beyondtrust.com/assets/documents/Microsoft-Vulnerabilities-Report-2025-14-Apr-2025.pdf Mark of the web is easily manipulated  by a
 +
range of open-source tools]
 +
* [https://borncity.com/win/2023/01/09/windows-and-the-mark-of-the-web-motw-security-problem/ Windows and the "Mark of the Web" (MotW) security problem] 2023-01-09
  
* [https://borncity.com/win/2023/01/09/windows-and-the-mark-of-the-web-motw-security-problem/ Windows and the "Mark of the Web" (MotW) security problem] 2023-01-09
+
Unlike the Mandatory Access Control (MAC) the [[Mark of the Web]] is accessible in the file system.
  
 
==References==
 
==References==
  
 
[[Category: Browser]]
 
[[Category: Browser]]

Revision as of 10:30, 9 May 2025

Full Title

Context

Files from the Internet or similar sources could contain malware. Therefore, Microsoft came up with a security mechanism years ago where these files are marked with a Mark of the Web (MOTW) flag. Windows can display a security warning before opening and starting an executable file with a MotW flag set.

Windows

Since Windows Vista files downloaded from the web into NTFS have a Alternate Data Stream named Zone.Identifier that is considered to the the MotW.

  • The following shows an example displayed in PowerShell of a file downloaded from the web.
get-item ZoomInfoContactContributor.exe -Stream *

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads
PSChildName   : ZoomInfoContactContributor.exe::$DATA
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe
Stream        : :$DATA
Length        : 265600

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe:SmartScreen
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads
PSChildName   : ZoomInfoContactContributor.exe:SmartScreen
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe
Stream        : SmartScreen
Length        : 7

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe:Zone.Identifier
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads
PSChildName   : ZoomInfoContactContributor.exe:Zone.Identifier
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe
Stream        : Zone.Identifier
Length        : 201
  • Following is the detail on what is in a Zone.Identifier (aka. Mark of the Web)
Get-Item * | Get-Content -Stream Zone.Identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://vscode.dev/
HostUrl=https://vscode.dev/

Mac OS/x

Since Mac OS X Leopard, applications that download files from the web have had the ability to mark files as being 'quarantined' [1]. A file being quarantined just means that you haven't yet approved the file. In Snow Leopard, this feature was enhanced to protect users against known malware such as Mac Defender. OS X stores quarantine information in extended file attributes [2]. Specifically, these are the relevant extended attributes:

  • com.apple.metadata. This isn't specific to quarantining files, but it does appear to be used for the other information included in the quarantine prompt. This attribute contains two key-value pairs: kMDItemDownloadedDate (a date/time) and kMDItemWhereFroms (which contains two URLs: the direct download URL, and the download page URL). The kMDItemWhereFroms attribute also shows its data in the Get Info window in the Finder.
  • com.apple.quarantine. This attribute contains the application's name that downloaded the file, the current quarantine status, among other things (presumably).

You can view a list of all extended attributes on a file by using the xattr shell command. Grab a DMG you have laying around, open the Terminal, and execute xattr -l path/to/file.dmg. You'll see something like this containing the extended attributes used for quarantining, as well as a couple of others:

On the developer side of things, to enable file quarantine for files downloaded through your application, simply set LSFileQuarantineEnabled to true in your Info.plist.

  1. http://support.apple.com/kb/HT3662
  2. http://en.wikipedia.org/wiki/Extended_file_attributes#Mac_OS_X

Problems

range of open-source tools]

Unlike the Mandatory Access Control (MAC) the Mark of the Web is accessible in the file system.

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Mark_of_the_Web&oldid=23787"