Elastic reports critical security flaws in Microsoft systems

Research from Elastic Security Labs has identified a series of security vulnerabilities within Microsoft Windows Smart App Control (SAC) and SmartScreen. The team highlighted several security weaknesses, including flaws that could allow attackers to gain initial access without any security warnings and with minimal user interaction.

The weaknesses identified include a bug in handling LNK files, which enables attackers to bypass various security controls, even endpoint detection tools. Elastic Security Labs recommended that defenders need to understand the limitations of SAC and SmartScreen features and implement their own detection methods to compensate for these flaws.

SmartScreen has been a feature built into the Windows operating system since Windows 8, focusing on files marked with the Mark of the Web (MotW). With the introduction of Windows 11, Microsoft unveiled Smart App Control as an evolution of SmartScreen, described as offering significant protection against emerging threats by blocking malicious or untrusted apps. However, SAC and SmartScreen weaknesses allow attackers to exploit these protections.

One notable bypass method involves signing malware with a code-signing certificate. Although Extended Validation (EV) certificates require proof of identity and are secured on specially designed hardware tokens, attackers have managed to impersonate businesses to obtain these certificates. Another vulnerability is reputation hijacking, where attackers repurpose apps with a good reputation to bypass the system. This attack requires the application to execute scripts or code without any command line parameters.

Cloud services may expose undocumented APIs for checking the trust of files, further compounding these vulnerabilities. To demonstrate the practical impact, the Elastic team crafted utilities to show how attackers could exploit these APIs. They noted that crafting LNK files with non-standard target paths or internal structures bypasses MotW, leading to security breaches.

Reputation seeding is another identified method where binaries controlled by attackers appear benign at first and achieve a good reputation before attacking. This method appears particularly effective against Smart App Control, which assigns reputable labels to new binaries after a brief period, making them less detectable.

The team also looked at reputation tampering, where certain file modifications do not alter the software's reputation due to possible use of fuzzy hashing or feature-based similarity comparisons instead of or in addition to standard hashing. This finding means even modified binaries could maintain a trusted status under SAC, posing significant risks.

During their research, the team discovered that LNK files with crafted structures bypass MotW security checks, a technique that had already been in use for over six years. "We are releasing this information, along with detection logic and countermeasures, to help defenders identify this activity until a patch is available," stated Elastic Security Labs in their detailed findings.

Elastic Security Labs recommended several detection methods, including tracking applications known to be abused and developing behavioural signatures to identify suspicious activity. They also advised paying particular attention to downloaded files, using local reputation to flag anomalies for closer inspection. However, the team noted that these methods require continuous updates to remain effective against evolving threats.

The research highlights significant weaknesses in Microsoft's Smart App Control and SmartScreen systems, emphasising the need for security teams to implement comprehensive detection mechanisms beyond relying solely on operating system features.