Design Flaws in Security Features
Elastic Security Labs has conducted a thorough investigation into the design of SAC and its predecessor, SmartScreen, identifying several inherent weaknesses. According to their report, these flaws can allow attackers to gain initial access to systems without triggering any security alerts or warnings. The researchers detail various attack methods that can effectively bypass the protections offered by Windows Smart App Control, including a notable bug related to the handling of .lnk files.
Originally introduced as Defender SmartScreen in Windows 8, this security feature has evolved into the more comprehensive Smart App Control in Windows 11. The system is intended to detect and prevent the execution of malicious applications by cross-referencing them against a Microsoft database of known safe and dangerous executables. However, Elastic warns that the potential for exploitation remains alarmingly high.
- Malicious applications can be signed with legitimate certificates, allowing them to evade detection.
- Reputation hijacking can exploit trusted applications to launch harmful code without alerting users.
Furthermore, the report highlights a technique known as reputation tampering, which poses an additional threat to the integrity of SAC. As described by Elastic, traditional reputation systems rely on cryptographically secure hashing to prevent tampering. However, the researchers discovered that certain modifications to files could occur without altering their reputation status within SAC. This suggests that the system may utilize fuzzy hashing or feature-based similarity comparisons, which could be manipulated to maintain a benign reputation even after code alterations.
Another vulnerability identified by Elastic is termed LNK Stomping. This method involves creating .lnk files with non-standard target paths or internal structures. When these files are clicked, they are reformatted by explorer.exe, which inadvertently removes the Mark of the Web (MotW) label before any security checks are conducted, making them easier to exploit.
The full findings from Elastic Security Labs are accessible in their detailed report, which includes videos demonstrating the various attack vectors. The conclusion of the report serves as a critical reminder for security teams:
In response to these vulnerabilities, Elastic has developed a tool designed to assess the trustworthiness of files, with the source code made publicly available for further scrutiny and enhancement.
Image credit: Kheng Ho Toh / Dreamstime.com