September 10, 2024 at 02:15PM
Microsoft has resolved a zero-day exploit in Windows Smart App Control and SmartScreen, labeled as CVE-2024-38217, that threat actors have been exploiting since at least 2018. The vulnerability allowed them to bypass security features and launch untrusted files. Elastic Security Labs has detected and reported the flaw, and Microsoft is considering fixing it in a future update.
Based on the meeting notes, here are the key takeaways:
– Microsoft has recently fixed a zero-day vulnerability in Windows Smart App Control and SmartScreen, which had been exploited by threat actors since at least 2018.
– The vulnerability, known as CVE-2024-38217, allowed threat actors to circumvent Smart App Control and the Mark of the Web (MotW) security feature to launch untrusted or potentially dangerous binaries and apps without warnings.
– An attacker could host a file on an attacker-controlled server and convince a targeted user to download and open the file, interfering with the Mark of the Web functionality.
– The vulnerability involves LNK stomping, a process of creating LNK files with unconventional target paths or internal structures, which allows attackers to bypass Smart App Control security features.
– Elastic Security Labs has developed an open-source tool for evaluating a file’s Smart App Control trust level and informed the Microsoft Security Response Center of the vulnerability, which may be fixed in a future Windows update.
– Multiple samples exploiting the vulnerability have been found on VirusTotal, dating back over six years, indicating long-term exploitation of the issue.