Windows Smart App Control, SmartScreen Vulnerable to Exploits
Cybersecurity specialists have discovered significant flaws in the protective mechanisms of Microsoft Windows—Smart App Control (SAC) and SmartScreen. The identified vulnerabilities allow malicious actors to infiltrate target systems without triggering alerts and with minimal user interaction.
SAC, introduced in Windows 11, is a cloud-based security system designed to block the execution of malicious and untrusted applications. When SAC cannot definitively assess a program, it verifies the presence of a valid digital signature. It is noteworthy that activating SAC disables Defender SmartScreen.
SmartScreen, implemented since Windows 10, performs a similar function by evaluating the safety of websites and downloaded files. It analyzes the reputation of URLs and applications, verifying downloaded programs and their digital signatures. If a URL, file, or application has an established reputation, users do not see warnings; the absence of a reputation results in the object being flagged as potentially dangerous.
Researchers from Elastic Security Labs have uncovered several fundamental design flaws in both systems, which can be exploited for undetected system infiltration.
One of the simplest bypass methods involves signing a malicious application with a valid Extended Validation (EV) certificate. This technique is already actively employed by cybercriminals, as recently demonstrated by the HotPage malware.
Experts have identified several other methods of bypassing protection:
- Reputation Hijacking: Using applications with a good reputation to circumvent the system, such as JamPlus or well-known AutoHotkey interpreters.
- Reputation Seeding: Employing a seemingly benign file controlled by the attacker, which executes malicious code under certain conditions or after a set time.
- Reputation Substitution: Modifying parts of a legitimate executable file to embed malicious code without losing its overall positive reputation.
- LNK Stomping: Exploiting a vulnerability in Windows shortcut (LNK) handling to remove the security label and bypass SAC protection. This method involves creating LNK files with non-standard parameters that the system modifies upon opening, leading to the removal of the security label before checks are conducted.
Of particular concern is the fact that traces of the LNK Stomping technique were detected as early as February 2018. This indicates that malicious actors have been aware of this bypass method for several years.
Researchers emphasize that while reputation-based protection systems are effective against widespread malware, they possess vulnerabilities that can be exploited by skilled hackers. Security experts recommend not relying solely on built-in operating system protection features and thoroughly inspecting all downloaded files.
