Skip to content

nmantani/archiver-MOTW-support-comparison

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
 
 
 
 
 
 

Repository files navigation

Comparison of MOTW (Mark of the Web) propagation support of archiver software for Windows

English | Japanese

Background

On 3 March 2022, Microsoft announced that the default behavior of Office applications on Windows will be changed to block macros in files from the internet (such as email attachment).

An excerpt from the announcement:

VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, we’re changing the default behavior of Office applications to block macros in files from the internet.

...

This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word.

The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Current Channel and Monthly Enterprise Channel.

This is a great improvement of defense against malicious Office document files.

According to the announcement, whether blocking macro or not is determined based on MOTW (Mark of the Web) attribute of the file. Applications such as web browsers and email clients put MOTW on downloaded files and email attachments that come from the internet. MOTW is stored in Zone.Identifier NTFS alternate data stream.

To block macro of malicious Office document files that are extracted from archive files, an archiver software has to propagate MOTW to extracted files when an archive file has MOTW. If archiver software does not propagate MOTW, malicious Office documents in archive files can circumvent blocking.

A question came up: "What archiver software can propagate MOTW to extracted files?" So I tested some archiver software and summarized the result.

Comparison table of MOTW propagation support (as of 12 August 2024)

Name Tested version License MOTW propagation Enabled by default Note
"Extract all" built-in function of Windows Explorer Windows 11 23H2
Windows 10 22H2
proprietary Yes ✔️ Yes ✔️ MOTW bypass vulnerabilities (fixed) *1
7-Zip 24.08 GNU LGPL Yes ✔️ No ❌ *2
Bandizip Standard Edition 7.36 freeware Yes ✔️ Yes ✔️ MOTW bypass vulnerability (fixed) *3
Only for specific file extensions *4
CubeICE 3.4.0 freeware / proprietary Yes ✔️ Yes ✔️ MOTW bypass vulnerability (fixed) *5
Explzh 9.48 proprietary for commercial use Yes ✔️ Yes ✔️
NanaZip 3.0.1000.0 MIT Yes ✔️ No ❌ *6
PeaZip 9.9.0 GNU LGPL Yes ✔️ Yes ✔️
TC4Shell 21.3.0 (trial) proprietary Yes ✔️ Yes ✔️
Total Commander 11.03 (trial) proprietary Yes ✔️ Yes ✔️
WinRAR 7.01 (trial) proprietary Yes ✔️ Yes ✔️ Only for specific file extensions by default *7
WinZip 76.8 (trial) proprietary Yes ✔️ Yes ✔️
Ashampoo ZIP Free 1.0.7 freeware (registration required) No ❌
CAM UnZip 5.22.6.0 proprietary for commercial use No ❌
Expand-Archive cmdlet of PowerShell 7.4.4 MIT No ❌
Express Zip 11.13 proprietary for commercial use No ❌
File Compact 7.02 proprietary No ❌
IZArc 4.5 freeware No ❌
LhaForge 1.6.7 MIT No ❌
Lhaplus 1.74 freeware No ❌
PowerArchiver 22.00.09 (trial) proprietary No ❌
StuffIt Expander 15.0.8 freeware No ❌
tar.exe (bsdtar) of Windows 11 3.6.2 BSD 2-clause No ❌
Universal Extractor 2 2.0.0 RC 3 GNU GPLv2 No ❌
ZipGenious 6.3.2.3116 freeware No ❌
Zipware 1.6 freeware No ❌

*1: There were two MOTW bypass vulnerabilities of Windows and they were fixed by the security updates released on 8 November 2022.

*2: Though 7-Zip has supported MOTW propagation since version 22.00, it is disabled by default. You can enable it for 7-Zip GUI with the "Propagate Zone Id stream:" option in "Tools" -> "Options" -> "7-Zip" of 7-Zip File Manager.

images/7-zip-setting.png

When you set the option to Yes, 7-Zip propagates MOTW to all extracted files. When you set it to "For Office files", 7-Zip propagates MOTW to files with the following file extensions:

  • .doc .docb .docm .docx .dot .dotm .dotx .wbk .wll .wwl
  • .pot .potm .potx .ppa .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .sldm .sldx
  • .xla .xlam .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx

You can also enable MOTW propagation by setting the registry HKEY_CURRENT_USER\SOFTWARE\7-Zip\Options\WriteZoneIdExtract DWORD to 1.

For 7-Zip CLI, -snz switch is required to propagate MOTW regardless of the option above.

*3: There was a MOTW bypass vulnerability of Bandizip and it was fixed in Bandizip 7.29 released on 21 November 2022 (release note). The vulnerability is almost the same as CVE-2022-41049 of Windows (*1) and it can be exploited by just setting read-only file attribute to ZIP file contents. I found the vulnerability and reported it to Bandisoft, the developer of Bandizip. Bandisoft fixed it very quickly.

*4: Accoring to the document of Bandizip, Bandizip propagates MOTW to files with the following file extensions:

  • .exe .com .msi .scr .bat .cmd .pif .bat .lnk
  • .zip .zipx .rar .7z .alz .egg .cab .bh
  • .iso .img .isz .udf .wim .bin .i00
  • .js .jse .vbs .vbe .wsf
  • .url .reg
  • .docx .doc .xls .xlsx .ppt .pptx .wiz

I previously tested Bandizip with a ZIP archive file that contained only text files, and I misunderstood that Bandizip does not propagate MOTW.

*5: CubeICE has supported MOTW propagation since version 3.0.0, but this version had a MOTW bypass vulnerability. The vulnerability was fixed in version 3.0.1 released on 5 April 2023 (release note). The vulnerability is almost the same as CVE-2022-41049 of Windows (*1) and it can be exploited by just setting read-only file attribute to ZIP file contents. I found the vulnerability and reported it to CubeSoft, the developer of CubeICE. CubeICE fixed it very quickly.

*6: Though NanaZip has supported MOTW propagation since version 2.0 Preview 1, it is disabled by default. You can enable it with the "Propagate Zone Id stream:" option in "Tools" -> "Options" -> "Integration" of NanaZip GUI.

When you set the option to Yes, NanaZip propagate MOTW to all extracted files. When you set it to "For Office files", NanaZip propagate MOTW to files with the following file extensions:

  • .doc .docb .docm .docx .dot .dotm .dotx .wbk .wll .wwl
  • .pot .potm .potx .ppa .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .sldm .sldx
  • .xla .xlam .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx

*7: WinRAR 7.0 introduced the "Propagate Mark of the Web" option. You can choose the following values:

  • Never
  • For office files
  • For executable and office files
  • For all files
  • For user defined types

The option is supported only by WinRAR GUI. WinRAR CLI does not propagate MOTW regardless of the option.

images/winrar-setting.png

The default is "For executable and office files" and WinRAR propagates MOTW to files with the following file extensions:

  • .exe .bat .cmd .hta .lnk .msi .pif .ps1 .scr .vbs
  • .doc .docb .docm .docx .dot .dotm .dotx .wbk
  • .ppa .ppam .pot .potm .potx .pps .ppsm .ppsx .ppt .pptm .pptx .sldm .sldx
  • .xls .xlsb .xlsm .xlsx .xlm .xlt .xltm .xltx

When you set the option to "For office files", WinRAR propagates MOTW to files with the following file extensions:

  • .doc .docb .docm .docx .dot .dotm .dotx .wbk
  • .ppa .ppam .pot .potm .potx .pps .ppsm .ppsx .ppt .pptm .pptx .sldm .sldx
  • .xls .xlsb .xlsm .xlsx .xlm .xlt .xltm .xltx

You can specify file extensions when you set the option to "For user defined types".

Comparison table of MOTW propagation behavior (as of 12 August 2024)

Name Tested version MOTW propagation behavior
"Extract all" built-in function of Windows Explorer Windows 11 23H2
Windows 10 22H2
  • MOTW is propagated only if ZoneId value of the MOTW is 3 (Internet) or 4 (Untrusted sites)
  • ZoneId field of the archive file is inherited
  • The absolute path of the archive file is set for the ReferrerUrl field
  • All other fields are ignored
7-Zip 24.08
  • MOTW of the archive file is propagated without modification
  • Only for specific file extensions if the "Propagate Zone Id stream:" option is set to "For Office files" *2
Bandizip Standard Edition 7.36
  • MOTW of the archive file is propagated without modification
  • Only for specific file extensions *4
CubeICE 3.4.0
  • MOTW is propagated only if ZoneId value of the MOTW is 3 (Internet) or 4 (Untrusted sites)
  • Only ZoneId field of the archive file is inherited and all other fields are ignored
Explzh 9.48
  • MOTW is propagated only if ZoneId value of the MOTW is 3 (Internet)
  • Only ZoneId field of the archive file is inherited and all other fields are ignored
NanaZip 3.0.1000.0
  • MOTW of the archive file is propagated without modification
  • Only for specific file extensions if the "Propagate Zone Id stream:" option is set to "For Office files" *6
PeaZip 9.9.0
  • MOTW of the archive file is propagated without modification
TC4Shell 21.3.0 (trial)
  • Only ZoneId field of the archive file is inherited and all other fields are ignored
Total Commander 11.03 (trial)
  • MOTW of the archive file is propagated except for the ReferrerUrl field
WinRAR 7.01 (trial)
  • Only ZoneId field of the archive file is inherited and all other fields are ignored
  • Only for specific file extensions *7
WinZip 76.8 (trial)
  • MOTW is propagated only if ZoneId value of the MOTW is 3 (Internet)
  • ZoneId field of the archive file is inherited
  • The absolute path of the archive file is set for the ReferrerUrl field
  • All other fields are ignored

MOTW propagation examples

In these examples, MOTW was manually set for a ZIP archive file motw-test.zip with Set-MOTW.ps1, then MOTW of an extracted file is displayed with Get-MOTW.ps1. Set-MOTW.ps1 and Get-MOTW.ps1 are available at my PS-MOTW repository.

  • MOTW of a file extracted with Windows Explorer or WinZip (except version 28.0): images/explorer.png

  • MOTW of a file extracted with 7-Zip, Bandizip, NanaZip, or PeaZip: images/bandizip.png

  • MOTW of a file extracted with CubeICE, Explzh, TC4Shell, or WinRAR: images/explzh.png

  • MOTW of a file extracted with Total Commander: images/total-commander.png

FAQ

References

Author

Nobutaka Mantani (@nmantani)

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published