Cybersecurity researchers have discovered design flaws in Microsoft’s Windows Smart App Control and SmartScreen that could allow threat actors to gain initial access to targeted environments without any warning.
Intelligent Program Management (SAC) is a cloud-based security feature introduced from Microsoft in Windows 11 to block malicious, untrusted and potentially unwanted programs from running on the system. In cases where the service cannot make a prediction about the application, it checks whether it is signed or has a valid signature in order to be executed.
SmartScreen, which was released with Windows 10, is a similar security feature that detects whether a website or downloaded app is potentially malicious. It also uses a reputation-based approach to protect URLs and apps.
“Microsoft Defender SmartScreen evaluates website URLs to determine if they are known to distribute or host dangerous content,” Redmond said. notes in its documentation.
“It also provides reputation checks for applications, checks for downloaded programs, and the digital signature used to sign a file. If a URL, file, program, or certificate has a reputation set, users don’t see any warnings. If there is no reputation, the item is marked as higher risk and presents a warning to the user.”
It’s also worth noting that when SAC is enabled, it replaces and disables Defender SmartScreen.
“Smart App Control and SmartScreen have a number of fundamental design flaws that can allow initial access without security alerts and minimal user interaction,” – Elastic Security Labs said in a report shared with The Hacker News.
One of the easiest ways to bypass these protections is to sign the program with a legitimate Extended Validation (EV) certificate, a method already used by attackers to spread malware, as recently witnessed in the case of HotPage.
Some of the other methods that can be used to evade detection are listed below –
- Reputation hijacking, which involves detecting and redirecting programs with a good reputation to bypass the system (eg JamPlus or known AutoHotkey interpreter)
- Reputation seeding, which involves using a seemingly innocuous binary controlled by an attacker to cause malicious behavior due to a vulnerability in an application or after a certain amount of time has passed.
- Reputation spoofing, which involves modifying specific sections of a legitimate binary (such as a calculator) to inject shellcode without losing overall reputation
- LNK Stomping, which involves exploiting a flaw in the way Windows handles shortcut (LNK) files to remove the web tag (MotW) tag and bypass SAC protection due to SAC blocking tagged files.
“This includes creating LNK files that have non-standard target paths or internal structures,” the researchers said. “When clicked, these LNK files are modified by explorer.exe with canonical formatting. This modification causes the MotW tag to be removed before the security check is performed.’
“Reputation-based protection systems are a powerful layer to block commercial malware,” the company said. “However, as with any method of protection, they have weaknesses that can be circumvented with some care. Security teams should carefully examine the loadings in their detection stack and not rely solely on the OS’s own security features to protect in this area.”
