Microsoft's Smart App Control in Windows 11 Faces Security Vulnerabilities

Design Flaws in Security Features

Elastic Security Labs has conducted a thorough investigation into the design of SAC and its predecessor, SmartScreen, identifying several inherent weaknesses. According to their report, these flaws can allow attackers to gain initial access to systems without triggering any security alerts or warnings. The researchers detail various attack methods that can effectively bypass the protections offered by Windows Smart App Control, including a notable bug related to the handling of .lnk files.

Originally introduced as Defender SmartScreen in Windows 8, this security feature has evolved into the more comprehensive Smart App Control in Windows 11. The system is intended to detect and prevent the execution of malicious applications by cross-referencing them against a Microsoft database of known safe and dangerous executables. However, Elastic warns that the potential for exploitation remains alarmingly high.

• Malicious applications can be signed with legitimate certificates, allowing them to evade detection.
• Reputation hijacking can exploit trusted applications to launch harmful code without alerting users.

Furthermore, the report highlights a technique known as reputation tampering, which poses an additional threat to the integrity of SAC. As described by Elastic, traditional reputation systems rely on cryptographically secure hashing to prevent tampering. However, the researchers discovered that certain modifications to files could occur without altering their reputation status within SAC. This suggests that the system may utilize fuzzy hashing or feature-based similarity comparisons, which could be manipulated to maintain a benign reputation even after code alterations.

“Through trial and error, we could identify segments that could be safely tampered with and keep the same reputation. We crafted one tampered binary with a unique hash that had never been seen by Microsoft or SAC. This embedded an ‘execute calc’ shellcode and could be executed with SAC in enforcement mode.”

Another vulnerability identified by Elastic is termed LNK Stomping. This method involves creating .lnk files with non-standard target paths or internal structures. When these files are clicked, they are reformatted by explorer.exe, which inadvertently removes the Mark of the Web (MotW) label before any security checks are conducted, making them easier to exploit.

The full findings from Elastic Security Labs are accessible in their detailed report, which includes videos demonstrating the various attack vectors. The conclusion of the report serves as a critical reminder for security teams:

“Smart App Control and SmartScreen have a number of fundamental design weaknesses that can allow for initial access with no security warnings and minimal user interaction. Security teams should scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area.”

In response to these vulnerabilities, Elastic has developed a tool designed to assess the trustworthiness of files, with the source code made publicly available for further scrutiny and enhancement.

Image credit: Kheng Ho Toh / Dreamstime.com

Update: 06 Aug 2024