CVE-2023-36584 Overview
CVE-2023-36584 is a Windows Mark of the Web (MotW) Security Feature Bypass vulnerability affecting a wide range of Microsoft Windows operating systems. The Mark of the Web is a critical security mechanism that tags files downloaded from the internet or received from untrusted sources with a Zone Identifier in the file's NTFS alternate data stream. This tagging triggers additional security prompts and restrictions when users attempt to open potentially dangerous files. This vulnerability allows attackers to craft files that bypass these MotW security protections, enabling malicious content to execute without the expected security warnings.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, requiring immediate attention from organizations running affected Windows systems.
Affected Products
- Microsoft Windows 10 (versions 1507, 1809, 21H1, 22H2)
- Microsoft Windows 11 (versions 21H2, 22H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022
Discovery Timeline
- October 10, 2023 - CVE-2023-36584 published to NVD
- October 28, 2025 - Last updated in NVD database
Technical Details for CVE-2023-36584
Vulnerability Analysis
This security feature bypass vulnerability undermines Windows' defense-in-depth security model by allowing files to evade Mark of the Web protections. When files are downloaded from the internet or extracted from archives, Windows normally applies a Zone.Identifier alternate data stream that marks the file as originating from an untrusted source. This marker triggers SmartScreen checks and warning dialogs when users attempt to execute the file.
The vulnerability allows specially crafted files to bypass this security mechanism, meaning malicious executables, scripts, or documents can run without triggering the expected security warnings. This is particularly dangerous in phishing and social engineering attacks, as users may not receive any indication that a file originated from an untrusted source.
Root Cause
The vulnerability stems from improper handling of the Mark of the Web security feature in affected Windows versions. The security mechanism fails to properly apply or preserve the Zone.Identifier alternate data stream under certain conditions, allowing files to circumvent the trust boundary enforcement that MotW provides.
Attack Vector
The attack leverages network-based delivery of malicious files that have been crafted to bypass MotW protections. An attacker can deliver these files through various means including email attachments, malicious downloads, or compromised websites. The attack requires user interaction—the victim must be convinced to open or execute the malicious file—but the absence of security warnings significantly increases the likelihood of successful exploitation.
The attack flow typically involves:
- Attacker crafts a malicious file designed to bypass MotW protections
- File is delivered to the victim via phishing email, malicious website, or other network-based vector
- Victim downloads or receives the file, which lacks proper MotW tagging
- When the victim opens the file, no security warning is displayed
- Malicious payload executes without user awareness of the security risk
Detection Methods for CVE-2023-36584
Indicators of Compromise
- Files from untrusted sources lacking expected Zone.Identifier alternate data streams
- Execution of downloaded files without corresponding SmartScreen or security prompts in security logs
- Unusual document or executable activity immediately following email attachment downloads
- Missing or malformed alternate data streams on recently downloaded files
Detection Strategies
- Monitor for execution of files that should have triggered MotW warnings but did not
- Implement file integrity monitoring to detect files missing expected Zone.Identifier streams
- Deploy endpoint detection solutions capable of identifying MotW bypass attempts
- Audit security event logs for SmartScreen bypass indicators
Monitoring Recommendations
- Enable enhanced Windows Security logging to capture file origin metadata
- Configure SentinelOne to alert on suspicious file execution patterns that may indicate MotW bypass
- Implement email gateway scanning to detect malicious attachments attempting to exploit this vulnerability
- Monitor for known threat actor TTPs associated with MotW bypass exploitation
How to Mitigate CVE-2023-36584
Immediate Actions Required
- Apply the Microsoft security update immediately due to confirmed active exploitation
- Review systems for evidence of compromise, particularly focusing on recently downloaded files
- Enable additional endpoint protection controls to compensate for MotW bypass risk
- Educate users about increased risk of malicious file execution during the patching window
Patch Information
Microsoft has released security updates to address this vulnerability. Organizations should apply the patches available through the Microsoft Security Update Guide as soon as possible. Given this vulnerability's inclusion in the CISA KEV catalog, federal agencies are required to remediate by specified deadlines, and all organizations are strongly encouraged to prioritize patching.
Workarounds
- Implement application control policies to restrict execution of untrusted files
- Configure email gateways to block or quarantine potentially dangerous file types
- Enable strict Group Policy settings for SmartScreen and file execution warnings
- Consider blocking execution of files from common attack delivery paths until patching is complete
# Verify Mark of the Web status on downloaded files
# Check for Zone.Identifier alternate data stream
dir /r <filepath>
# View Zone.Identifier content
more < <filepath>:Zone.Identifier
# Verify Windows Update status for security patches
wmic qfe list brief | findstr /i "KB"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
