Cybersecurity researchers have discovery design flaws in Microsoft’s Windows Smart App Control and SmartScreen that could allow cybercriminals to gain initial access to target environments without generating any alerts.
What are the flaws of Smart App Control?
Smart App Control (SAC) is a cloud-based security feature introduced by Microsoft in Windows 11 to block applications and various other types of malicious, untrustworthy, and potentially unwanted programs from running on the operating system; in cases where the Smart App Control service fails to make a prediction about the app, check if it is signed or if it has a valid signature to be executed.
SmartScreen, released with Windows 10is a similar security feature that determines whether a downloaded site or app is potentially harmful and also uses a reputation-based approach to protecting URLs and apps.
“Microsoft Defender SmartScreen evaluates website URLs to determine if they are known to distribute or host unsafe content“, observe Redmond in its documentation, and added: “It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, file, app, or certificate has an established reputation, users will not see any warnings. If there is no reputation, the item is marked as a higher risk and presents a warning to the user.”
The special features of Smart App Control and Defender SmartScreen
It is also worth mentioning that when Smart App Control is enabled, it replaces and disables Defender SmartScreen.
“Smart App Control and SmartScreen have a number of fundamental design weaknesses that can allow initial access with no security warnings and minimal user interaction.“, has said Elastic Security Labs in a report.
One of the easiest ways to bypass these protections is to have the app signed with a legitimate Extended Validation (EV) certificate, a technique already exploited by cybercriminals to distribute malware, as recently demonstrated in the case of Hot Page.
Some of the other methods that can be used for detection evasion are listed below:
- Reputation Hijackingwhich involves identifying and reusing apps with a good reputation to bypass the system (e.g., JamPlus or a well-known AutoHotkey interpreter)
- Reputation Seedingwhich involves using a seemingly benign attacker-controlled binary to trigger malicious behavior due to a vulnerability in an application or after some time has passed.
- Reputation Tamperingwhich involves modifying some sections of a legitimate binary (e.g., the calculator) to inject shellcode without losing its overall reputation
- LNK’s Stompingwhich involves exploiting a bug in the way Windows shortcut (LNK) files are handled to remove the mark-of-the-web label (MotW) and bypass SAC protections because SAC locks files with the label.
“This results in the creation of LNK files with non-standard target paths or internal structures.“, the researchers said. “When clicked, these LNK files are changed by explorer.exe to canonical formatting. This change causes the MotW label to be removed before security checks are performed..”
“Reputation-based protection systems are a powerful layer for blocking basic malware“, the company said. “However, like any security technique, they have weaknesses that can be bypassed with a little care. Security teams should carefully scrutinize downloads in their detection stack. and do not rely solely on the operating system’s native security features for protection in this area..”
#Smart #App #Control #Windows #Feature #Flaw #Discovered
