Cybersecurity researchers have uncovered a significant vulnerability in Windows Smart App Control and SmartScreen, two key security features designed to protect users from potentially malicious software. This flaw, which has reportedly been exploited by hackers since at least 2018, allows malicious actors to bypass security warnings and execute unauthorized software on Windows systems.
Understanding Smart App Control and SmartScreen
Smart App Control is a reputation-based protection feature that leverages Microsoft’s application services to predict software safety. It also verifies code integrity to identify and block untrusted or potentially dangerous binaries and applications. In Windows 11, Smart App Control replaces SmartScreen, a similar feature introduced in Windows 8 to guard against potentially harmful content. Both functions are activated when a user attempts to open files marked with the “Mark of the Web” (MotW) flag.
The LNK Stomping Vulnerability
Researchers at Elastic Security Labs have identified a flaw in how Windows handles LNK files, dubbed “LNK stomping.” This vulnerability allows attackers to circumvent Smart App Control’s security measures intended to block untrusted applications. The technique involves creating LNK files with non-standard target paths or internal structures.
How LNK Stomping Works
When a user clicks on a maliciously crafted LNK file, explorer.exe automatically modifies it to use correct formatting. However, this process inadvertently removes the MotW flag from downloaded files, effectively bypassing security checks. Exploiting this flaw is surprisingly simple: attackers need only add a period or space to the file path (e.g., after a binary extension like powershell.exe.) or create an LNK file containing a relative path such as .\target.exe.
Implications and Widespread Exploitation
Security experts warn that this vulnerability has been actively exploited by hackers for years. Analysis of samples in VirusTotal reveals numerous instances designed to take advantage of this flaw, with the oldest dating back to 2018. This long-standing exploitation underscores the critical nature of the vulnerability and its potential impact on Windows users’ security.
Microsoft’s Response and Future Mitigation
Upon notification of these findings, the Microsoft Security Response Center acknowledged the issue. Microsoft has committed to addressing the vulnerability in an upcoming Windows update. However, until a patch is released, users should exercise caution when dealing with downloaded files and be wary of unexpected LNK files from untrusted sources.
This discovery highlights the ongoing challenges in cybersecurity and the importance of continuous vigilance and prompt patching. As threat actors continue to find innovative ways to bypass security measures, both users and software developers must remain proactive in identifying and mitigating potential vulnerabilities. Regular system updates, robust antivirus protection, and user education remain crucial components of a comprehensive cybersecurity strategy.
