Researchers Published PoC Exploit for Windows Zero-Day CVE-2023-36025 Vulnerability

Security researchers have deconstructed the patch released by Microsoft and crafted a proof-of-concept (PoC) exploit for the CVE-2023-36025 vulnerability. This flaw has been discovered and patched, but not before it was actively exploited by threat actors.

CVE-2023-36025, rated 8.8 for severity, is a sophisticated security feature bypass flaw within the Windows SmartScreen component. According to Microsoft’s advisory, the flaw enables attackers to sidestep the usual SmartScreen checks and their associated warnings. The user’s involvement is essential here: they must click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to such a file to fall prey to this exploitation.

“The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts,” Microsoft disclosed in an advisory issued this month as part of Patch Tuesday updates. “The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker.”

The detection and reporting of this flaw are credited to Will Metcalf of Splunk, the Microsoft Threat Intelligence, and the Microsoft Office Product Group Security Team.

Imagine an Internet Shortcut file disguised as a benign link.

[InternetShortcut]

URL=malicious-website.com

IDList=

IconFile=\\\\\\\\192.168.1.100\\\\share\\\\icon.ico

IconIndex=1

This .URL file, while appearing legitimate, secretly directs to a malicious website. The trick lies in the IconFile path, potentially a network location under the attacker’s control, where malicious payloads lie in wait.

The method of delivery could be as commonplace as phishing emails or compromised websites. Unsuspecting users, upon clicking this crafted .URL file, would not receive the usual SmartScreen warning. Instead, they would be ushered directly onto a malicious site or unwittingly trigger harmful code execution.

Security Lit Limited has crafted a proof-of-concept (PoC) exploit, demonstrating the real-world application of the CVE-2023-36025 flaw. This PoC underscores the vulnerability: a crafted Internet Shortcut file or hyperlink which SmartScreen fails to flag correctly, opening doors to potential exploits.

Microsoft has released a patch to address this vulnerability. Users are strongly advised to apply this patch immediately to protect their systems.