Security firm warns that 'design weaknesses' in Windows Smart App Control mean it can be easily bypassed
Smart App Control is just one of various security features Microsoft has built into Windows 11. But while many users place faith in the tool to block malicious apps, Elastic Security Labs warns that it is fundamentally flawed.
The company says that Windows Smart App Control and its predecessor SmartScreen "have several design weaknesses that allow attackers to gain initial access with no security warnings or popups". In an investigatory report, Elastic Security Labs details numerous types of attack that can be used to bypass Windows Smart Control as well as revealing a bug in the handling of .lnk files which can be used to get around security.
See also:
- Microsoft releases the new Outlook for Windows for anyone who wants it, including commercial customers
- How to add an End Task option to the Taskbar in Windows 11
- Hell freezes over as Microsoft announces it is pulling ads from Skype
Microsoft introduced Defender SmartScreen in Windows 8, and over the years it has evolved into Windows 11's Smart App Control. In theory the system detects when a user tries to run a malicious app by querying a Microsoft database of known-safe and known-dangerous executables. But there is a lot of scope for exploitation and bypassing security, Elastic warns.
Malicious apps can be signed with legitimate certificates so evade detection, and this is a widely used technique. Another method is reputation hijacking, which can use a trusted app as an attack vector by using it to forcibly launch malicious code without warnings to the user.
Elastic explains how a related attack type of reputation tampering can be used to bypass SAC as well:
A third attack class against reputation systems is reputation tampering. Normally, reputation systems use cryptographically secure hashing systems to make tampering infeasible. However, we noticed that certain modifications to a file did not seem to change the reputation for SAC. SAC may use fuzzy hashing or feature-based similarity comparisons in lieu of or in addition to standard file hashing. It may also leverage an ML model in the cloud to allow files that have a highly benign score (such as being very similar to known good). Surprisingly, some code sections could be modified without losing their associated reputation. Through trial and error, we could identify segments that could be safely tampered with and keep the same reputation. We crafted one tampered binary with a unique hash that had never been seen by Microsoft or SAC. This embedded an "execute calc" shellcode and could be executed with SAC in enforcement mode.
The security firm also discovered another issue which it calls LNK Stomping. The company says: "During our research, we stumbled upon another MotW bypass that is trivial to exploit. It involves crafting LNK files that have non-standard target paths or internal structures. When clicked, these LNK files are modified by explorer.exe with the canonical formatting. This modification leads to removal of the MotW label before security checks are performed".
The full report from Elastic Security Labs is available to read here, and there are videos that demonstrate the various attack vectors. The company concludes its findings with a sobering reflection:
Smart App Control and SmartScreen have a number of fundamental design weaknesses that can allow for initial access with no security warnings and minimal user interaction. Security teams should scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area.
The company has produced a tool that can be used to check the trustworthiness of any given file, and the source code for this is available here.
Image credit: Kheng Ho Toh / Dreamstime.com