A potentially serious security flaw which had been exploited since at least 2018 has been found in Windows Smart App Control and SmartScreen.
The flaw allows attackers to launch malicious programs on devices without triggering alerts that would typically show if a Mark of the Web (MotW) file was opened, experts have warned.
Both Smart App Control and SmartScreen are designed to pull up an alert when MotW files are opened, as they can contain potentially dangerous apps and binaries.
Format correction removing MotW
The flaw was discovered by Elastic Security Labs, and is exploited by creating LNK files with modified target paths or internal structures which are automatically reformatted by explorer.exe when opened. This reformatting removes the MotW, stopping security alerts from Smart App Control and SmartScreen.
All it takes to modify the target path of a file is a single space or dot, which Windows Explorer will correct, and in doing so will remove the MotW tag by updating the file. The same goes for creating an LNK file with a modified relative path.
The oldest version of VirusTotal that abuses this flaw is at least six years old, meaning that this flaw has been actively exploited since at least 2018. But the Smart App Control and SmartScreen flaws don’t end there. Elastic Security Labs also identified other ways to bypass the app’s security controls.
By using code-signing or EV signing certificates, the researchers could sign malicious payloads that would not alert Smart App Control or SmartScreen. It is also possible to repurpose apps that have a pre-existing good reputation to dodge security checks. Attackers could also bypass security measures by deploying a malicious application that only triggers security checks if certain conditions are met.
“Smart App Control and SmartScreen have a number of fundamental design weaknesses that can allow for initial access with no security warnings and minimal user interaction. Security teams should scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area. We are releasing this information, along with detection logic and countermeasures, to help defenders identify this activity until a patch is available,” Elastic Security Labs said.
Via BleepingComputer