Recent findings from cybersecurity researchers have illuminated significant design vulnerabilities within Microsoft’s Windows Smart App Control (SAC) and SmartScreen. These weaknesses could potentially allow threat actors to infiltrate target environments without triggering any security alerts.
Smart App Control, a cloud-driven security feature introduced with Windows 11, aims to prevent the execution of malicious, untrusted, and potentially unwanted applications. When the service cannot ascertain the safety of an app, it resorts to checking whether the application is signed or possesses a valid signature before allowing execution.
Similarly, SmartScreen, which debuted with Windows 10, assesses whether a website or downloaded application poses a threat. It employs a reputation-based methodology to safeguard URLs and applications. According to Microsoft’s documentation, “Microsoft Defender SmartScreen evaluates a website’s URLs to determine if they’re known to distribute or host unsafe content.” This feature also conducts reputation checks for applications, analyzing downloaded programs and the digital signatures associated with files. If an item has a well-established reputation, users are not presented with warnings; conversely, items lacking such a reputation are flagged as higher risk.
Notably, when Smart App Control is activated, it supersedes and disables Defender SmartScreen, which raises concerns about the overall security framework.
Design Weaknesses in Microsoft’s Security Features
Elastic Security Labs recently reported that both Smart App Control and SmartScreen possess fundamental design flaws that could facilitate initial access with minimal user interaction and no security warnings. One prevalent method for bypassing these protections involves obtaining a legitimate Extended Validation (EV) certificate for an application—a tactic that has already been exploited by malicious actors, as demonstrated in the recent HotPage incident.
Additional methods for evading detection include:
- Reputation Hijacking: This technique involves identifying and repurposing applications with a good reputation to circumvent the security system, such as using JamPlus or a recognized AutoHotkey interpreter.
- Reputation Seeding: Here, an attacker-controlled binary masquerades as innocuous to trigger malicious behavior, either due to an application vulnerability or after a predetermined time period.
- Reputation Tampering: This method entails modifying specific sections of a legitimate binary, like a calculator, to inject shellcode while maintaining the overall reputation of the application.
- LNK Stomping: This exploits a flaw in how Windows handles shortcut (LNK) files, allowing attackers to remove the mark-of-the-web (MotW) tag, thereby circumventing SAC protections since SAC blocks files labeled as such.
The researchers noted, “This involves crafting LNK files with non-standard target paths or internal structures. When activated, these LNK files are reformatted by explorer.exe, leading to the removal of the MotW label before any security checks are conducted.”
While reputation-based protection systems offer a robust layer against commodity malware, they are not infallible. As highlighted by the researchers, “Like any protection technique, they have weaknesses that can be bypassed with some care.” Consequently, security teams are advised to rigorously examine downloads within their detection frameworks rather than solely relying on native operating system protections.
