IZArc Mark-of-the-Web Bypass Vulnerability

A Mark-of-the-Web (MotW) bypass vulnerability exists in IZArc versions through 4.5. When files are extracted from an archive that has been downloaded from the internet and marked with MotW, the protection is not transferred to the extracted files. This flaw allows potentially harmful files, such as macro-enabled Office documents or executable scripts, to be treated as safe and executed without any security warnings.

Impact

Exploitation of this vulnerability allows for the execution of malicious scripts or programs on the user's computer, potentially leading to unauthorized actions or access. In addition, it could result in the disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, download a macro-enabled Office document or a script file, such as a .BAT or .CMD, and compress it into a .zip or .7z archive. Ensure that the archive is marked with the Mark-of-the-Web by downloading it from the internet. Then, open the archive with IZArc and extract the contents. The extracted files will not retain the MotW, allowing any macros or scripts to execute without warning.

Remediation

Users can update to IZArc version 4.6, which includes a feature to propagate the Mark of the Web to extracted files. Instructions for downloading the latest version are available on the IZArc website.