Security experts have found flaws in Microsoft’s Windows Smart App Control (SAC) and SmartScreen features. These vulnerabilities could let threat actors slip past security checks without triggering alerts.
SAC, which comes with Windows 11, and SmartScreen, which started with Windows 10, aim to stop untrustworthy or dangerous apps and websites. They rely on cloud-based systems that analyze reputations to spot threats. Enabling SAC also disables and replaces the Defender SmartScreen.
SmartScreen evaluates website URLs for known unsafe content and performs reputation checks on downloaded programs and their digital signatures. Items with established reputations don’t trigger warnings, while those lacking reputation are flagged as higher risk.
However, Elastic Security Labs has shown that these systems have basic design flaws. These issues could allow unauthorized access without setting off alarms or needing much user input.
Researchers have spotted several ways to get around these safeguards:
Threat actors sign harmful apps with real Extended Validation certificates.
Reputation Hijacking: Using trusted apps to get around security.
Reputation Seeding: Using seemingly harmless files to trigger malicious behaviour later.
Reputation Tampering: Modifying legitimate binaries to inject malicious code without losing their reputation.
LNK Stomping: Using a weak spot in Windows shortcuts to remove security labels.
Experts have found LNK stomping attacks going back to 2018, which shows that threat actors have known about this vulnerability for a long time.
Although reputation-based systems work well to stop common malware, they have Vulnerabilities that attackers can abuse. Security experts suggest not to depend on these built-in OS features. Instead, they recommend security teams toscrutinize downloads in their detection stack.
