CVE-2023-36584

What is Windows Mark of the Web?

The Mark of the Web (MOTW) is a Windows security mechanism that attaches zone information to files downloaded from the internet or received via email. MOTW is implemented as an NTFS alternate data stream named Zone.Identifier attached to downloaded files. Files tagged with MOTW (Zone 3 — Internet) are subject to additional security controls when executed or opened: SmartScreen reputation checks, Office Protected View (which opens documents in a restricted read-only mode), Attachment Execution Service (AES) blocks on executable files, and Office macro blocking for documents received from the internet. MOTW is a foundational Windows security layer that many defensive controls rely on — bypassing it undermines all these protections simultaneously, allowing an attacker-delivered file to execute as if it were locally created and trusted.

Overview

CVE-2023-36584 is a protection mechanism failure vulnerability (CWE-693) in Windows that allows an attacker to bypass the Mark of the Web security feature. When a user opens an attacker-crafted file, the MOTW zone identifier is not correctly applied or preserved, causing Windows to treat the file as trusted rather than internet-sourced. This bypasses SmartScreen, Protected View in Office, and other MOTW-dependent security checks.

The CVSS score (AV:N/PR:N/UI:R/S:U/C:N/I:L/A:L) is notably low — I:L/A:L (low integrity and availability, no confidentiality) — reflecting that the vulnerability enables bypass of a security feature rather than direct code execution or data theft. MOTW bypasses are typically chained with a code execution vulnerability to create a weaponized delivery chain that circumvents endpoint protection.

CVE-2023-36584 was patched in the October 2023 Patch Tuesday but added to the CISA KEV catalog on November 16, 2023 — five weeks after the patch — indicating post-patch exploitation confirmation.

Affected Versions

Technical Details

The Mark of the Web bypass (CWE-693 — Protection Mechanism Failure) involves a flaw in how Windows applies or propagates the Zone.Identifier NTFS alternate data stream to specific file types or in specific delivery contexts. Possible bypass mechanisms include:

• Archive extraction without zone propagation — files extracted from a specially crafted archive container (ZIP, ISO, LNK) do not inherit the archive's MOTW tag, even when the archive itself is tagged
• Encoding or container bypass — a specific file container or encoding causes the MOTW to be stripped or not applied to the extracted/processed content
• Path or junction-based bypass — a symbolic link or directory junction creates a situation where the file is written to a path where NTFS ADS are not preserved

When the bypass succeeds, the file behaves as if it is in the Local Zone (Zone 0) or Trusted Sites zone rather than the Internet Zone (Zone 3) — disabling SmartScreen and Office Protected View for that file.

The five-week gap between patch and KEV addition (October 10 → November 16) is consistent with threat actors continuing to exploit the bypass on unpatched systems after the patch was released, with exploitation being confirmed in November incident response or threat intelligence.

Discovery

Microsoft confirmed CVE-2023-36584 was actively exploited at the time of the November 2023 KEV addition, which is five weeks after the October 10, 2023 patch. The delayed KEV addition (compared to same-day additions for October's other zero-days) suggests exploitation was confirmed after the patch cycle, rather than being Microsoft-confirmed at Patch Tuesday time.

Exploitation Context

MOTW bypasses are consistently weaponized alongside code execution vulnerabilities to create complete malware delivery chains that evade endpoint defenses. Microsoft's 2022 introduction of internet macro blocking in Office dramatically raised the cost of Office macro-based malware delivery — driving threat actors to invest in MOTW bypass techniques to restore macro delivery and SmartScreen bypass capabilities. Prior MOTW bypass CVEs in 2022–2023 (CVE-2022-44698, CVE-2023-24880, CVE-2023-36584) reflect sustained attacker investment in bypassing this defensive layer.

Remediation

1. Apply the October 2023 Windows cumulative update — patches CVE-2023-36584.
2. Maintain monthly Windows patching — MOTW bypasses are discovered repeatedly; staying current ensures new bypasses are closed promptly.
3. Enable SmartScreen — while this CVE bypasses MOTW, ensuring SmartScreen is enabled provides defense-in-depth that may still catch known-malicious files via hash or URL reputation.
4. Enable Attack Surface Reduction (ASR) rules — Microsoft Defender ASR rules for blocking Office child processes and untrusted executable content limit the blast radius when MOTW protection is bypassed.
5. Monitor for MOTW zone identifier removal — endpoint detection rules that alert on execution of files from temporary download directories without a Zone.Identifier ADS can detect MOTW bypass activity.