Microsoft has a clever-sounding system for trying to protect Windows users from downloading malicious files: it’s called “Mark-Of-The-Web”. What it means is that any file downloaded from an untrusted source is supposed to have a special flag set in its NTFS metadata indicating that the file is not to be trusted. So any attempt by the user to perform sensitive operations on that file (e.g. execute macros from it, run it as an executable) is supposed to trigger appropriate system warnings. If the file is a .zip archive, then this mark is supposed to be propagated to all files extracted from that archive. However, it turns out this mechanism can be bypassed (surprise, surprise) <https://www.theregister.com/2022/11/01/microsoft_motw_malware_flaw/>. How can this happen? The flaw lies in the mechanism used to tell Windows to trust downloaded files, by attaching an “Authenticode” signature to them. Files without such signatures are of course untrusted and will trigger the appropriate warnings. However, by attaching an invalid signature of a particular form, you can trigger an error response from the signature-checking process that is actually interpreted as “this file is OK” <https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-motw.html>. What do you call it when an attempt to add mechanisms to make a system more secure actually increases the attack surface on that system? By the way, the referenced Twitter thread discussing this vulnerability <https://twitter.com/GossiTheDog/status/1579895038523609088> seems to be saying that no Mark-Of-The-Web propagation is done for files extracted from .iso disc images. And that Microsoft uses this form for distributing its own software (Visio was mentioned) precisely to avoid the hassle of going through vetting by third-party antimalware tools.