Windows Smart App Control has a worrying security bug that hackers exploited for years

News
By published

Smart App Control and SmartScreen have been bypassed for at least six years

cybercrime
(Image credit: Getty Images)

A potentially serious security flaw which had been exploited since at least 2018 has been found in Windows Smart App Control and SmartScreen.

The flaw allows attackers to launch malicious programs on devices without triggering alerts that would typically show if a Mark of the Web (MotW) file was opened, experts have warned.

Both Smart App Control and SmartScreen are designed to pull up an alert when MotW files are opened, as they can contain potentially dangerous apps and binaries.

Format correction removing MotW

The flaw was discovered by Elastic Security Labs, and is exploited by creating LNK files with modified target paths or internal structures which are automatically reformatted by explorer.exe when opened. This reformatting removes the MotW, stopping security alerts from Smart App Control and SmartScreen.

All it takes to modify the target path of a file is a single space or dot, which Windows Explorer will correct, and in doing so will remove the MotW tag by updating the file. The same goes for creating an LNK file with a modified relative path.

The oldest version of VirusTotal that abuses this flaw is at least six years old, meaning that this flaw has been actively exploited since at least 2018. But the Smart App Control and SmartScreen flaws don’t end there. Elastic Security Labs also identified other ways to bypass the app's security controls.

By using code-signing or EV signing certificates, the researchers could sign malicious payloads that would not alert Smart App Control or SmartScreen. It is also possible to repurpose apps that have a pre-existing good reputation to dodge security checks. Attackers could also bypass security measures by deploying a malicious application that only triggers security checks if certain conditions are met.

“Smart App Control and SmartScreen have a number of fundamental design weaknesses that can allow for initial access with no security warnings and minimal user interaction. Security teams should scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area. We are releasing this information, along with detection logic and countermeasures, to help defenders identify this activity until a patch is available,” Elastic Security Labs said.

Via BleepingComputer 

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

More about pro
Full view of the Zyxel SCR 50AXE

I tested the Zyxel SCR 50AXE - read what I thought of this affordable small office Wi-Fi 6E security router
Veritas Backup Exec 22.2 main image

I tried the Veritas Backup Exec 22.2 - see what this backup solution for SMBs is really like
Google Ads integration in Hostinger Website Builder

Hostinger has just added a super useful free feature for SMBs looking to get visitors and customers to their websites
See more latest
Most Popular
Google Ads integration in Hostinger Website Builder
Hostinger has just added a super useful free feature for SMBs looking to get visitors and customers to their websites
The front and back of an iPhone 16e on a blue and violet background
SpaceX and Apple reported spat could spell bad news for Starlink and your iPhone’s satellite communication features
A file and folder transferring data with a red warning mark indicating malware.
Security firm Check Point confirms data breach, but says users have nothing to worry about
wo human figure including America and China flag are in confrontation on the world background
American cyber brass calls for retaliatory strikes against China, but is the US really ready?
GL.iNet Slate 7 router
Here's the world's first mobile Wi-Fi 7 router, and I can't believe how ridiculously cheap it is
Apple MacBook Air 13-inch (M4) REVIEW
You can now set up your new Mac with an iPhone or iPad, and it might just be the best new time-saver
AYANEO Retro Mini PC AM01S
Mac-inspired mini PC has three unique, exciting features that I beg other mini PC designers to embrace and copy
Google Chrome
Gave up trying to install Chrome on Windows 11 because it wouldn’t work? Google has fixed this error, but I can’t believe how long it took
An AI face in profile against a digital background.
Humans as hardware - no, not the name of a new Matrix movie prequel but a shocking idea about human tissue
Samsung Galaxy Z Fold 6 REVIEW
Foldable phone sales are tipped to fall this year – and Apple is the only brand that could turn things around