Scientists Reveal Weaknesses in Windows Smart App Control and SmartScreen
Individuals studying cybersecurity have identified design vulnerabilities in Microsoft’s Windows Smart App Control and SmartScreen that might allow malicious actors to access target environments without detection.
Smart App Control (SAC) is a security feature powered by the cloud introduced by Microsoft in Windows 11. Its purpose is to prevent the execution of malicious, untrusted, and potentially unwanted apps on the system. If SAC cannot predict the app’s nature, it verifies whether the app is signed or possesses a valid signature before allowing execution.
SmartScreen, which debuted alongside Windows 10, functions similarly by discerning the potential maliciousness of a downloaded app or website. It employs a reputation-based strategy for safeguarding URLs and apps.
“Microsoft Defender SmartScreen assesses the URLs of websites to determine if they are sources of unsafe content,” as stated in Redmond’s documentation.
“It also conducts reputation assessments on apps, examining the digital signatures of downloaded programs and files. If a URL, file, app, or certificate has an established goodwill, users will not receive any alerts. If lacking reputation, the item is perceived as higher risk, resulting in a user warning,” they explained.
It is crucial to note that when SAC is activated, it displaces and deactivates Defender SmartScreen.
“Both Smart App Control and SmartScreen suffer from multiple foundational vulnerabilities allowing for initial access without alerts and with limited user engagement,” Elastic Security Labs stated in a report shared with The Hacker News.
One common method to surpass these security measures is to obtain an app signed with a genuine Extended Validation (EV) certificate. This tactic has previously been exploited by malevolent entities to spread malware, exemplified by the HotPage case.
Other evasion methods for detection include:
- Reputation Hijacking: Identifying and recycling trusted apps to bypass the system (e.g., JamPlus or a recognized AutoHotkey interpreter)
- Reputation Seeding: Using an apparently harmless, attacker-controlled binary to trigger malicious actions due to an application vulnerability or after a specific time period.
- Reputation Tampering: Modifying specific sections of a legitimate binary (e.g., calculator) to insert shellcode without compromising its overall reputation
- LNK Stomping: Exploiting a flaw in the way Windows handles shortcut (LNK) files to eliminate the mark-of-the-web (MotW) tag and circumvent SAC protections, since SAC blocks files labeled as such.
“This involves crafting LNK files with unconventional target paths or internal compositions,” the researchers elaborated. “Upon interaction, explorer.exe alters these LNK files to comply with standard formatting, eliminating the MotW label before security checks are initiated.”
“Reputation-based security systems serve as an effective barrier against standard malware,” the experts mentioned. “Nevertheless, akin to any defense mechanism, they possess vulnerabilities that can be circumvented with caution. Security teams should critically examine downloads within their detection systems, not relying exclusively on the native OS security features for protection in this context.”
About Author
