Microsoft Enhances Security by Addressing Critical Vulnerability
Microsoft has taken significant steps to enhance user security by addressing a Mark of the Web (MotW) security bypass vulnerability, identified as CVE-2024-38213, during the June 2024 Patch Tuesday. This vulnerability had been exploited by attackers as a zero-day, allowing them to circumvent the SmartScreen protection feature, which was first introduced with Windows 8 to safeguard users from potentially harmful software when opening downloaded files.
SmartScreen serves as a critical line of defense, but the vulnerability in question can be exploited remotely by unauthenticated threat actors, albeit with a caveat: it necessitates user interaction. As noted in a security advisory from Microsoft,
Despite the inherent challenges in successfully executing such an attack, Trend Micro’s security researcher, Peter Girnus, uncovered evidence of the vulnerability being actively exploited in March. Following his report to Microsoft, the flaw was patched in June 2024. However, it is worth mentioning that the advisory detailing this fix was inadvertently omitted from the security updates released that month, as well as from those in July.
Windows SmartScreen Abused in Malware Attacks
According to Dustin Childs, Head of Threat Awareness at Trend Micro’s Zero Day Initiative, the investigation into the March attacks revealed that the DarkGate operators were utilizing this SmartScreen bypass to infect users through seemingly innocuous copy-and-paste operations.
During the March incidents, the DarkGate malware operators leveraged the SmartScreen bypass (CVE-2024-21412) to deploy malicious payloads disguised as installers for legitimate software such as Apple iTunes, Notion, and NVIDIA. As Trend Micro’s researchers delved deeper into the campaign, they also scrutinized how files from WebDAV shares were managed during copy-and-paste actions, leading to the discovery of CVE-2024-38213. This exploit, dubbed “copy2pwn,” allows a file from a WebDAV source to be copied locally without the protective measures typically associated with the Mark of the Web.
Interestingly, CVE-2024-21412 itself was a workaround for another Defender SmartScreen vulnerability, CVE-2023-36025, which had been exploited as a zero-day to deploy Phemedrone malware and was patched in November 2023. The financially motivated hacking group known as Water Hydra, also referred to as DarkCasino, has been implicated in exploiting CVE-2024-21412 to target stock trading Telegram channels and forex trading forums, notably deploying the DarkMe remote access trojan (RAT) on New Year’s Eve.
In addition to these vulnerabilities, Childs highlighted that the same cybercriminal organization had also exploited CVE-2024-29988, another SmartScreen flaw and bypass of CVE-2024-21412, during malware attacks in February. Furthermore, Elastic Security Labs has identified a design flaw in Windows Smart App Control and SmartScreen that allows attackers to launch programs without triggering security warnings, a vulnerability that has been exploited since at least 2018. Elastic Security Labs reported these findings to Microsoft, which indicated that this issue
