Windows SmartScreen and Smart App Control exploited since 2018

Windows[German]There are vulnerabilities in Windows SmartScreen and Smart App Control that are based on design errors. It has now become public that these vulnerabilities have been exploited by attackers since 2018. Security researchers at Elastic Security Labs have compiled and published an overview of the problems and design weaknesses of the security functions used in Windows.

What is SmartScreen?

SmartScreen is a security function that was developed by Microsoft. The SmartScreen filter has been available since Windows 8 and is integrated into Windows and the Microsoft Edge web browser. The feature is used to protect users from potentially harmful websites, downloads and applications by analyzing their reputation and threat level. An overview of Microsoft Defender SmartScreen was published by Redmond here.

What is Windows Smart App Control?

In Windows 11, SmartScreen has been replaced by the Smart App Control function. This is a new feature designed to provide protection against new and emerging threats by blocking apps that are malicious or untrustworthy. Smart App Control is also designed to help block potentially unwanted apps, i.e. apps that can cause a system to run slower by displaying unexpected ads or offering additional software (adware and PUPs). Smart App Control (SAC) was introduced with Windows 11 version 22H2 (version 22572 or higher). Microsoft has published this information page on Windows Smart App Control.

Both security features use the Mark of the Web flag (MotW) for files to detect downloads from the Internet. Microsoft has repeatedly had to patch vulnerabilities in this area in the past. And the vulnerabilities have been exploited by attackers for years (see Windows and the "Mark of the Web" (MotW) security problem).

Bugs and design flaws uncovered

Security researchers at Elastic Security Labs have discovered bugs and design weaknesses in connection with .lnk files while analyzing Windows Smart App Control (SAC). The problems also apply to the older SmartScreen. One way to circumvent Smart App Control is to simply sign malware with a code-signing certificate. This gives the application a higher reputation and the security features may not classify it as malicious.

Other approaches for attacks include reputation hijacking in order to feign a position of trust. Script hosts are an ideal target for a reputation hijacking attack, write the security researchers. This is particularly true if they have an FFI (Foreign Function Interface) function. With FFI, attackers can easily load and execute arbitrary code and malware in the memory. During research by security researchers at VirusTotal and GitHub, we identified many script hosts that are known to have a good reputation and can be used for full code execution. These include Lua, Node.js and AutoHotkey interpreters.

Another attack on reputation protection is to inject attacker-controlled binaries into the system. This could simply be a new script host binary, an application with a known vulnerability or an application with a useful primitive. On the other hand, it could be a binary that contains embedded malicious code but only activates after a certain date or environment trigger. Smart App Control appears to be vulnerable to seeding, the security researchers were able to run samples on a machine and found that after 2 hours they had gained a good reputation in Windows Smart App Control.

A third class of attack against reputation systems is reputation tampering. Normally, reputation systems use cryptographically secure hashing systems to make tampering impossible. However, the security researchers found that certain changes to a file do not appear to change the reputation for Smart App Control (SAC). Surprisingly, they write, some sections of code could be changed without losing the associated reputation.

During the analysis, the security researchers also discovered that there is a MotW vulnerability that can be exploited via Lnk files. The MotW flag is set for a file as soon as the user downloads it from the Internet onto a Windows system. The SmartScreen filter only scans files with the Mark of the Web flag set. And Smart App Control (SAC) completely blocks certain file types as soon as they have the MotW flag.

The security researchers were able to manipulate the MotW flag by creating LNK files that have non-standard target paths or internal structures. When these LNK files are clicked, explorer.exe applies canonical formatting to them. This change causes the MotW flag to be removed before security checks are performed.

Overall, the two Windows security features SmartScreen and Smart App Control (SAC) are very easy to exploit and basically useless. The vulnerabilities outlined above have also been practically exploited by cyber attackers since at least 2018. The security researchers at Elastic Security Labs have documented their findings in detail in the blog post Dismantling Smart App Control.

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *