Mark of the Web
{{Short description|Identifier for files sourced from the Internet}}
The Mark of the Web (MoTW) is a metadata identifier used by Microsoft Windows to mark files downloaded from the Internet as potentially unsafe.{{Cite web |last=Lawrence |first=Eric |date=2016-04-04 |title=Downloads and the Mark-of-the-Web |url=https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ |access-date=2024-01-09 |website=text/plain |language=en}}{{cite news| last=Abrams | first=Lawrence | title=Microsoft fixes Windows zero-day bug exploited to push malware | website=BleepingComputer | date=10 November 2022 | url=https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-zero-day-bug-exploited-to-push-malware/}} Although its name specifically references the Web, it is also sometimes added to files from other sources perceived to be of high risk, including files copied from NTFS-formatted external drives that were themselves downloaded from the web at some earlier point.
It is implemented using the alternate data stream (ADS) feature of Microsoft's default NTFS filesystem.{{cite book |title= Windows Internals |edition= 5th |last1= Russinovich |first1= Mark E. |author-link= Mark Russinovich |last2= Solomon |first2= David A. |last3= Ionescu |first3= Alex |publisher= Microsoft Press |year= 2009 |chapter= File Systems |page= 921 |quote= One component in Windows that uses multiple data streams is the Attachment Execution Service [...] depending on which zone the file was downloaded from [...] Windows Explorer might warn the user. |isbn= 978-0-7356-2530-3}} Due to its reliance on features exclusive to NTFS, transferring the file to or from a partition with an alternative filesystem, such as FAT32 or Ext3, will strip the file of its ADSs and thus the mark. These alternate streams are intended to be transparent (i.e. hidden from most users) and are not shown to or made editable by users through any GUI built into Windows by default.
A second type of MotW can arise when saving a webpage as an HTML document, as most browsers will insert an HTML comment in the process while noting the URL from which the document was saved.{{Cite web |last=kexugit |date=2011-03-23 |title=Understanding Local Machine Zone Lockdown |url=https://learn.microsoft.com/en-us/archive/blogs/ieinternals/understanding-local-machine-zone-lockdown |access-date=2024-01-09 |website=Microsoft Learn |language=en-us}} This form of mark is significantly different in that it is clearly accessible to users and is embedded within the file itself, rather than the ADS metadata, making it easy to manually spot and remove.
The mark was added by all versions of Internet Explorer supported by Windows 7 and later. All Chromium (e.g. Google Chrome) and Firefox-based web browsers also write the mark's stream to downloaded files. All of these browsers additionally add the second type of mark in the form of the source URL of downloaded webpages as a HTML comment at the beginning of the file. Chromium and Firefox-based browser marks contain the domain name and exact URL of the original online download location, potentially offering a deeply esoteric method of tracking browsing history with concomitant privacy risks.{{Cite web|url=https://www.digital-detective.net/forensic-analysis-of-zone-identifier-stream/|title=Forensic Analysis of the Zone.Identifier Stream|first=Craig|last=Wilson|date=October 8, 2021|website=Digital Detective}}
Effects
Windows warns users attempting to open a Web-marked file that it was downloaded from the Internet and could be harmful; the user can opt either to continue or cancel execution. If the file is executable and the user opts to override the warning, the mark will be removed from the file in order to prevent the same prompting each time. Unless overridden by user action, the mark prevents macros from running in Microsoft Office files.{{cite web |date=11 October 2023 |orig-date=21 February 2019 |title=Macro Security for Microsoft Office |url=https://www.ncsc.gov.uk/guidance/macro-security-for-microsoft-office |website=National Cyber Security Center (NCSC) |version=3.0}}{{Cite web |last=nicholasswhite |date=2023-12-14 |title=Macros from the internet are blocked by default in Office - Deploy Office |url=https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked |access-date=2024-01-09 |website=Microsoft Learn |language=en-us}} Visual Studio projects created with Web-marked files cannot be built or executed.{{Cite web |last=Nagel |first=Eric |date=2019-08-26 |title=Remove the Mark of the Web: Visual Studio 2019 Build Error |url=https://www.ericnagel.com/how-to-tips/remove-the-mark-of-the-web-visual-studio-2019.html |access-date=2024-01-09 |website=Eric Nagel |language=en-US}}
Some archiving software propagates the MoTW from the archive itself to files extracted from it, preventing its security protection being bypassed by malware distributed within an archive.{{cite web | last=Wixey | first=Matt | title=Are threat actors turning to archives and disk images as macro usage dwindles? | website=Sophos News | date=12 October 2022 | url=https://news.sophos.com/en-us/2022/10/12/are-threat-actors-turning-to-archives-and-disk-images-as-macro-usage-dwindles/ | access-date=28 February 2024}}{{cite news| last=Boyd | first=Christopher | title=7-Zip gets Mark of the Web feature, increases protection for users | publisher=Malwarebytes | date=21 June 2022 | url=https://www.malwarebytes.com/blog/news/2022/06/7-zip-gets-mark-of-the-web-feature-increases-protection-for-users}}
If the downloaded file is an executable (e.g. an installer), the mark stream can be used for reflection, enabling the program to identify from where it was downloaded, which is occasionally used for telemetry and/or security purposes. A program can attempt to verify that it was downloaded from an official source (assuming the stream has not been removed or spoofed) and can transmit this information back over the internet (an example of this in action is BiglyBT's installer).
Implementation
ADS is a form of fork allowing more than one data stream to be associated with a filename/file using the format filename:streamname (e.g. notepad.exe:extrastream). Although intended for helpful metadata, their arcane nature makes them a possible hiding place for potentially unwanted information, including, in the case of the MoTW, the browser history associated with the downloaded file.
In the case of the mark, the ADS is named Zone.Identifier. As of Windows 10, the contents of the Zone.Identifier stream are structured like an INI file (i.e. a key-value store) that includes the keys HostIpAddress, HostUrl, and ReferrerUrl.{{Cite web|url=https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85)?redirectedfrom=MSDN|title=About URL Security Zones (Windows)|date=August 15, 2017|website=learn.microsoft.com}} To some extent, these are implementation-defined fields, but they typically contain the domain name and exact URL of the original online download location.
Bypasses, security, and privacy concerns
There have been several Windows vulnerabilities that have enabled malicious actors to fully or partially bypass the mark or allowed it to be used in the proliferation of malware by e.g. hiding code.{{cite web |url=https://www.auscert.org.au/render.html?it=7967 |title=Malware utilising Alternate Data Streams? |website=AusCERT Web Log |date=21 August 2007 |archive-url=https://web.archive.org/web/20110223051226/https://www.auscert.org.au/render.html?it=7967 |archive-date=2011-02-23 |url-status=dead}} Many or all of the known exploits have been corrected by patches. Due to the privacy concerns associated with the mark and the Zone.Identifier stream, including the storage of the exact domain name and origin URL of the file, there exists software specifically designed to strip the information from files in a user-friendly way.{{Cite web|url=https://github.com/fafalone/ZoneStripper|title=fafalone/ZoneStripper|date=December 25, 2024|via=GitHub}}
An exploit with the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-41091 was added to the National Vulnerability Database on November 8, 2022, and refers to the now-patched ability of a malicious actor to avoid files downloaded from the Internet being marked.{{Cite web |title=CVE-2022-41091 |url=https://nvd.nist.gov/vuln/detail/CVE-2022-41091 |access-date=2024-01-09 |website=NIST National Vulnerability Database}}{{Cite web |date=2022-11-08 |title=Windows Mark of the Web Security Feature Bypass Vulnerability |url=https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41091 |access-date=2024-01-09 |website=Microsoft MSRC}} Other vulnerabilities (CVE-2022-44698, patched in December 2022{{Cite web |title=CVE-2022-44698 |url=https://nvd.nist.gov/vuln/detail/CVE-2022-44698 |access-date=2024-01-09 |website=NIST National Vulnerability Database}} and CVE-2023-36584, patched in October 2023){{cite web |date=2023-10-10 |title=CVE-2023-36584 |url=https://nvd.nist.gov/vuln/detail/CVE-2023-36584 |access-date=2024-06-18 |website=NIST National Vulnerability Database}} allowed malicious actors to bypass the restrictions of the mark without removing it. In September 2024, another exploit (CVE-2024-38217) was found that, under some circumstances, allowed the full removal, and thus bypass of all detection, of the mark, and was additionally found to be in active use in the wild.{{Cite web|url=https://blog.0patch.com/2024/11/micropatches-for-lnk-stomping-windows.html|title=Micropatches for "LNK Stomping" Windows Mark of the Web Security Feature Bypass (CVE-2024-38217)|first=Mitja|last=Kolsek}} It has also since been patched.
An attacker may also use social engineering to convince a target user to unblock the file by right-clicking it and changing the file properties.{{Cite web |last=Hegt |first=Stan |date=2020-03-30 |title=Mark-of-the-Web from a Red Team's Perspective |url=https://www.outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/ |access-date=2024-06-19 |website=Outflank}}