This allows the Mark-of-the-Web security feature to continue to work with extracted files, but the alternate data stream can no longer be used to learn where the file was downloaded. Modern file archives will propagate the MoTW found in archives to extracted files, allowing those files to also be protected with the Windows security feature. As part of WinRAR 7.10, a new setting is enabled by default called "Zone value only" that strips all information from MoTW alternate data streams other than the ZoneId when it is propagated to extracted files. This is because the Zone.Identifier flag contains a lot of information about a downloaded file, including the Internet Zone (ZoneID) it was downloaded from, the URL to the file, the URL referring to the file, and in some cases, the IP address of the host it was downloaded from. For those unfamiliar with the Mark-of-the-Web (MoTW), it is an alternative data stream named "Zone.Identifier" that is added to files downloaded from the Internet, including from websites and email. When attempting to open a downloaded file, Windows will check if a MoTW exists and, if so, display additional warnings to the user, asking if they are sure they wish to run the file. WinRAR 7.10 was released yesterday with numerous features, such as larger memory pages, a dark mode, and the ability to fine-tune how Windows Mark-of-the-Web flags are propagated when extracting files. WinRAR is a popular file archiver and compression tool for Windows that allows users to create, extract, and manage compressed files, primarily in RAR, ZIP, and many other file formats. However, some may consider it a privacy concern, as if the file is shared with another person, the "Zone.Identifier" contains information that could reveal sensitive information about where a file was downloaded from. This identifier tells Windows and supported applications that the file was downloaded from another computer or the Internet and, therefore, could be risky to open. To check if a downloaded file has the Mark-of-the-Web, you can right-click it in Windows Explorer and open its properties. MoTW is a powerful security feature that is commonly targeted by threat actors who attempt to find zero-day flaws that allow their malicious files to bypass Windows' security warnings. Microsoft Office will also check for the Mark-of-the-Web, and if found, it will open documents in Protected View, with the file in read-only mode and macros disabled. "'Zone value only' option in "Settings/Security" dialog controls if archive Mark of the Web propagation includes only the security zone value or all available fields," reads the WinRAR 7.10 release notes. One new feature that stood out is a new setting that lets you strip information that may be considered a privacy risk from the Mark of The Web alternate data stream.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 18 Feb 2025 23:00:24 +0000