In a recent development cybersecurity, researchers have identified significant vulnerabilities within Microsoft’s Windows Smart App Control (SAC) and SmartScreen. These flaws have the potential to allow malicious actors to gain undetected access to target environments, bypassing security measures intended to protect users.
Overview of Smart App Control and SmartScreen
Windows Smart App Control (SAC) is a cloud-powered security feature introduced with Windows 11. Its primary function is to block malicious, untrusted, and potentially unwanted applications from running on a system. If SAC is unable to predict the safety of an app, it relies on whether the app is signed with a valid digital signature before allowing execution.
On the other hand, SmartScreen, which has been in use since Windows 10, is designed to evaluate the safety of websites and downloaded applications. It leverages a reputation-based approach for URL and app protection. According to Microsoft‘s documentation, “Microsoft Defender SmartScreen evaluates a website’s URLs to determine if they’re known to distribute or host unsafe content.” SmartScreen also checks downloaded programs and their digital signatures, warning users if a URL, file, app, or certificate lacks an established reputation.
When SAC is enabled in Windows 11, it takes precedence over SmartScreen, which gets disabled.
Design Weaknesses Exposed
Elastic Security Labs, in a report shared with The Hacker News, revealed multiple fundamental design flaws in Smart App Control and SmartScreen that could be exploited to gain initial access to systems without triggering security warnings. One of the simplest and most effective methods to bypass these protections involves obtaining an Extended Validation (EV) certificate for the app. This technique has already been exploited by cybercriminals, as evidenced by the HotPage malware incident.
Other techniques identified for evading detection include:
- Reputation Hijacking: This involves identifying and repurposing applications with good reputations to bypass security systems, such as using known software like JamPlus or an AutoHotkey interpreter.
- Reputation Seeding: Attackers use seemingly harmless binaries under their control to trigger malicious behavior, either due to a vulnerability in the application or after a certain period.
- Reputation Tampering: This technique involves altering specific sections of a legitimate binary, such as a calculator app, to inject shellcode without compromising its overall reputation.
- LNK Stomping: By exploiting a bug in the handling of Windows shortcut (LNK) files, attackers can remove the Mark of the Web (MotW) tag, effectively bypassing SAC protections. SAC blocks files with the MotW label, so its removal allows files to run unimpeded.
The LNK Stomping Technique
LNK stomping is particularly concerning. It involves creating LNK files with non-standard target paths or internal structures. When these files are clicked, explorer.exe modifies them to use correct canonical formatting, inadvertently removing the MotW label before security checks are performed. This flaw allows threat actors to bypass Smart App Control’s protections meant to block untrusted applications.
Elastic Security Labs’ research indicates that LNK stomping has been exploited in the wild for years. Multiple samples, the oldest over six years, were found on VirusTotal. The findings were shared with the Microsoft Security Response Center, which acknowledged the issue and indicated it “may be fixed in a future Windows update.”
Implications and Recommendations
While reputation-based protection systems like Smart App Control and SmartScreen are powerful tools for blocking common malware, they are not infallible. Elastic Security Labs stressed that these systems have inherent weaknesses that can be bypassed with careful techniques. As a result, security teams should not rely solely on these OS-native features but should also incorporate comprehensive security measures into their detection stacks.
To aid defenders, Elastic Security Labs released detection logic and countermeasures to identify such activities until a patch is available. Additionally, researcher Joe Desimone from Elastic Security Labs has made an open-source tool available for checking a file’s Smart App Control trust level.
Conclusion
The discovery of these vulnerabilities in Windows Smart App Control and SmartScreen highlights the critical need for robust and layered security strategies. As cyber threats continue to evolve, relying solely on built-in security features is insufficient. Organizations must adopt a multi-faceted approach to cybersecurity to mitigate risks effectively.
By understanding these design weaknesses and implementing additional security measures, organizations can better protect their environments from potential exploitation. Continuous vigilance and adaptation to new threats remain paramount in the ever-changing landscape of cybersecurity. Microsoft’s acknowledgment of these issues and potential future updates is a positive step, but proactive measures are essential for immediate protection.
Follow us on 
(Twitter) for real time updates and exclusive content.