Microsoft Rectifies Zero-Day Flaw in Windows Smart App Control Exploited Since 2018

September 10, 2024

Microsoft has resolved a security flaw in its Windows Smart App Control and SmartScreen that has been exploited as a zero-day since at least 2018. The vulnerability, now identified as CVE-2024-38217, allowed threat actors to bypass these security features and launch untrusted or potentially dangerous applications and binaries without any warnings.

As Microsoft detailed in its security advisory, an attacker could exploit this vulnerability by hosting a file on a server under their control and then persuading a targeted user to download and open the file. This would enable the attacker to compromise the Mark of the Web functionality. Microsoft stated, "An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as SmartScreen Application Reputation security check and/or the legacy Windows Attachment Services security prompt."

Windows 11's Smart App Control, which uses Microsoft's app intelligence services and code integrity features, is designed to detect and block potentially harmful apps or binaries. It replaces SmartScreen in Windows 11, but if Smart App Control is not enabled, SmartScreen will automatically take over to provide protection against malicious content. Both security features are activated when users try to open files marked with a "Mark of the Web" label.

Elastic Security Labs disclosed CVE-2024-38217 last month as a flaw in the handling of LNK files, a technique known as LNK stomping. This flaw allows attackers to bypass Smart App Control's security features that would normally prevent untrusted applications from launching. LNK stomping involves the creation of LNK files with unconventional target paths or internal structures. When a user clicks on one of these files, Windows Explorer automatically adjusts the LNK file to use its canonical formatting. However, this process also removes the "Mark of the Web" label from downloaded files, a marker that Windows security features use to initiate an automated security check.

To take advantage of this flaw, attackers can add a dot or space to the target executable path or create an LNK file with a relative path. When the target clicks the link, Windows Explorer identifies the correct executable, updates the path, removes the MotW label, and launches the file, thereby bypassing security checks. Elastic Security Labs noted in August that there is reason to believe that this vulnerability has been exploited for years, with the oldest sample found on VirusTotal dating back over six years. The company shared its findings with the Microsoft Security Response Center, which acknowledged the issue and stated it "may be fixed in a future Windows update." Elastic Security Labs researcher Joe Desimone also developed and shared an open-source tool for evaluating a file's Smart App Control trust level.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.