On Tue, 1 Nov 2022 21:08:15 +1300, I wrote:
Microsoft has a clever-sounding system for trying to protect Windows users from downloading malicious files: it’s called “Mark-Of-The-Web”. What it means is that any file downloaded from an untrusted source is supposed to have a special flag set in its NTFS metadata indicating that the file is not to be trusted. ... However, by attaching an invalid signature of a particular form, you can trigger an error response from the signature-checking process that is actually interpreted as “this file is OK” ...
And it further turns out that Microsoft’s fix was not to get rid of the actual error response, but to block the path that was being exploited to trigger that error response. And now, it turns out, a new path has been found to trigger that same old bug <https://www.theregister.com/2023/03/14/windows_ransomware_zero_day_patched/>. Previously it was some malformed JavaScript; now it’s an MSI file.