Design Flaw in Windows Security Features Exploited Since 2018
A significant design flaw has been identified in Windows Smart App Control and SmartScreen, allowing attackers to execute programs without triggering the expected security warnings. This vulnerability has reportedly been exploited since at least 2018, raising concerns about the effectiveness of these security measures.
Smart App Control serves as a reputation-based security feature, leveraging Microsoft’s app intelligence services to predict safety and utilizing Windows’ code integrity features to identify and block untrusted or potentially harmful applications. This feature is a successor to SmartScreen, which was first introduced in Windows 8 to guard against malicious content. Both systems activate when users attempt to open files marked with a Mark of the Web (MotW) label.
Elastic Security Labs Uncovers LNK Stomping Technique
Recent findings from Elastic Security Labs have shed light on a specific bug related to the handling of LNK files, a technique referred to as “LNK stomping.” This method allows threat actors to circumvent the security controls of Smart App Control, which are intended to prevent the execution of untrusted applications. LNK stomping involves the creation of LNK files with unconventional target paths or internal structures. When a user interacts with such a file, the Windows Explorer modifies it to conform to the correct canonical format, inadvertently stripping away the MotW label that triggers security checks.
To exploit this vulnerability, attackers can manipulate the target executable path by appending a dot or space (for example, “powershell.exe.”) or by crafting an LNK file with a relative path like “.target.exe.” Upon clicking the link, Windows Explorer identifies the corresponding .exe file, updates the path, removes the MotW label, and proceeds to launch the executable.
Elastic Security Labs has observed multiple instances of this exploit in the wild, with samples dating back over six years, indicating a long-standing issue. The lab has communicated these findings to the Microsoft Security Response Center, which has acknowledged the problem and indicated that a resolution may be included in a future Windows update.
Additional Vulnerabilities Highlighted
In addition to LNK stomping, Elastic Security Labs has highlighted several other vulnerabilities that could be leveraged to bypass Smart App Control and SmartScreen:
- Signed malware: Utilizing code-signing or Extended Validation (EV) signing certificates to sign malicious payloads.
- Reputation hijacking: Repurposing applications with established good reputations to evade detection.
- Reputation seeding: Deploying binaries controlled by attackers onto systems, which may contain known vulnerabilities or malicious code that activates under specific conditions.
- Reputation tampering: Injecting harmful code into binaries while maintaining their associated reputation.
Elastic Security Labs has issued a warning regarding the fundamental design weaknesses in Smart App Control and SmartScreen, emphasizing that these flaws can facilitate initial access without security warnings and with minimal user interaction. They advise security teams to conduct thorough scrutiny of downloads within their detection frameworks and not to rely solely on native operating system security features for protection.
In an effort to assist defenders in identifying these activities until a patch is released, Elastic Security Labs has shared detection logic and countermeasures. Additionally, researcher Joe Desimone has made available an open-source tool designed to assess a file’s trust level within Smart App Control.