Windows SmartScreen Security Bypass Vulnerability Exploited Since March Now Patched

August 13, 2024

Microsoft has recently patched a security vulnerability in its SmartScreen feature that had been exploited as a zero-day since March. The SmartScreen feature, first introduced with Windows 8, is designed to protect users from potentially harmful software when opening downloaded files marked with a Mark of the Web (MotW) label.

The vulnerability, dubbed CVE-2024-38213, could be exploited remotely by unauthenticated threat actors. However, the exploit required user interaction, making it more challenging for attackers to successfully exploit it. As Microsoft explained in a security advisory published this Tuesday, "An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience. An attacker must send the user a malicious file and convince them to open it."

Despite the increased difficulty in exploiting the vulnerability, Peter Girnus, a security researcher at Trend Micro, discovered that it was being actively exploited in the wild in March. Girnus reported these attacks to Microsoft, who then patched the flaw during the June 2024 Patch Tuesday. However, Microsoft inadvertently omitted the advisory from that month's security updates and the subsequent month's as well.

In March, the DarkGate malware operators began exploiting this Windows SmartScreen bypass (CVE-2024-21412) to deploy malicious payloads disguised as installers for legitimate software like Apple iTunes, Notion, and NVIDIA. Trend Micro's researchers, while investigating the March campaign, also examined SmartScreen abuse in attacks and the handling of files from WebDAV shares during copy-and-paste operations.

Dustin Childs, ZDI's Head of Threat Awareness, stated, "In March 2024, Trend Micro's Zero Day Initiative Threat Hunting team started analyzing samples connected to the activity carried out by DarkGate operators to infect users through copy-and-paste operations." He continued, "As a result, we discovered and reported CVE-2024-38213 to Microsoft, which they patched in June. This exploit, which we've named copy2pwn, results in a file from a WebDAV being copied locally without Mark-of-the-Web protections."

It's worth noting that the DarkGate malware operators had previously exploited another Defender SmartScreen vulnerability, CVE-2023-36025, to deploy Phemedrone malware. This vulnerability was patched during the November 2023 Patch Tuesday. Additionally, the financially motivated Water Hydra (also known as DarkCasino) hacking group exploited CVE-2024-21412 to target stock trading Telegram channels and forex trading forums with the DarkMe remote access trojan (RAT) on New Year's Eve.

Another SmartScreen flaw, CVE-2024-29988, was exploited by the same cybercrime gang in February malware attacks. Elastic Security Labs also discovered a design flaw in Windows Smart App Control and SmartScreen that allowed attackers to launch programs without triggering security warnings. This issue has been exploited in attacks since at least 2018 and may be addressed in a future Windows update, as reported to Elastic Security Labs by Microsoft.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.