Windows Smart App Control has a worrying security bug that hackers exploited for years

cybercrime
(Image credit: Getty Images)

A potentially serious security flaw which had been exploited since at least 2018 has been found in Windows Smart App Control and SmartScreen.

The flaw allows attackers to launch malicious programs on devices without triggering alerts that would typically show if a Mark of the Web (MotW) file was opened, experts have warned.

Both Smart App Control and SmartScreen are designed to pull up an alert when MotW files are opened, as they can contain potentially dangerous apps and binaries.

Format correction removing MotW

The flaw was discovered by Elastic Security Labs, and is exploited by creating LNK files with modified target paths or internal structures which are automatically reformatted by explorer.exe when opened. This reformatting removes the MotW, stopping security alerts from Smart App Control and SmartScreen.

All it takes to modify the target path of a file is a single space or dot, which Windows Explorer will correct, and in doing so will remove the MotW tag by updating the file. The same goes for creating an LNK file with a modified relative path.

The oldest version of VirusTotal that abuses this flaw is at least six years old, meaning that this flaw has been actively exploited since at least 2018. But the Smart App Control and SmartScreen flaws don’t end there. Elastic Security Labs also identified other ways to bypass the app's security controls.

By using code-signing or EV signing certificates, the researchers could sign malicious payloads that would not alert Smart App Control or SmartScreen. It is also possible to repurpose apps that have a pre-existing good reputation to dodge security checks. Attackers could also bypass security measures by deploying a malicious application that only triggers security checks if certain conditions are met.

“Smart App Control and SmartScreen have a number of fundamental design weaknesses that can allow for initial access with no security warnings and minimal user interaction. Security teams should scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area. We are releasing this information, along with detection logic and countermeasures, to help defenders identify this activity until a patch is available,” Elastic Security Labs said.

Via BleepingComputer 

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
Avast cybersecurity
An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
Outlook
Dangerous Microsoft Outlook flaw could let hackers send out malware via email
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
A computer being guarded by cybersecurity.
Worrying Windows security issue patched by 7-Zip, so patch now
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
Latest in Pro
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Data leak
Top collectibles site leaks personal data of nearly a million users
Spyware
Stalkerware data breach potentially hits over 2 million users, including thousands of Apple devices
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
An AI face in profile against a digital background.
Getting your data ready as the AI race heats up
Latest in News
Hornet swings their weapon in mid air
Hollow Knight: Silksong could potentially launch this year and I reckon it could be a great game for an Xbox handheld
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Nintendo x Seattle Mariners partnership
The Nintendo Switch 2 logo will be featured on the Seattle Mariners' baseball jerseys this season
Apple iPhone 16 Pro Max Review
Siri's chances to beat ChatGPT just got a whole lot better
Acer Chromebook Plus line
Chromebooks aren't dead! Acer has just launched 7 new ChromeOS laptops aimed at students and professionals
Apple Watch foldable display patent
Forget the folding iPhone – Apple has patented a foldable Apple Watch with two screens