LNK Stomping (CVE-2024-38217): Microsoft Patches Years-Old Zero-Day Flaw
Microsoft’s September 2024 security update addresses a zero-day vulnerability affecting Smart App Control and SmartScreen. This vulnerability, dubbed “LNK stomping” (CVE-2024-38217), has been actively exploited by hackers since at least 2018, allowing malicious files to bypass crucial security warnings.
Windows employs a built-in security mechanism to automatically flag files downloaded from the internet, prompting a cautionary message when users attempt to open them. Hackers, however, discovered a relatively simple technique to circumvent this safeguard, permitting internet-sourced files to execute without raising any alarms.
CVE-2024-38217 lies in how Windows Explorer handles LNK files. By crafting LNK files with unusual target paths or internal structures, attackers trigger a process that inadvertently removes the “Mark of the Web” (MotW) attribute during file normalization. The MotW label is instrumental for Windows security features like SmartScreen, which rely on it to initiate automated security checks.
Security researchers at Elastic Security identified and reported the vulnerability last month. Disturbingly, evidence suggests that hackers have been exploiting LNK stomping for at least six years, with numerous samples detected on VirusTotal dating back to 2018.
Microsoft swiftly acknowledged the issue and committed to rectifying it in Windows releases. The September 2024 security update now provides users the fix to mitigate this serious threat.
Security experts urge all Windows users to install the latest security update immediately. Failing to do so could leave systems susceptible to malware infections and other cyberattacks.
