Friend
Professional
- Messages
- 2,653
- Reaction score
- 842
- Points
- 113
Elastic Security Labs has revealed the details of the "LNK Stomping" attack.
As part of its recent Patch Tuesday update, which we have already published a separate article about, Microsoft has fixed a zero-day vulnerability in the Windows Smart App Control and SmartScreen functions, which has been used by attackers for the past six years. Let's talk about this security flaw in more detail.
Known as CVE-2024-38217, the vulnerability allowed the bypass of Smart App Control protection mechanisms and the marking of "Mark of the Web" (MotW) files, which made it possible to run untrusted or potentially dangerous applications without security warnings.
As Microsoft explained, in order to successfully exploit the flaw, the attacker only had to place a special file on a controlled server and convince the user to download and open it. This made it possible to interfere with the MotW mechanism, which is responsible for checking downloaded files.
The vulnerability is particularly dangerous because attackers can create malicious files that bypass MotW protection, which can compromise the integrity and availability of security features such as SmartScreen application reputation checks or Windows Attachment Services requests.
Smart App Control in Windows 11 uses Microsoft's cloud services and integrity mechanisms to block potentially malicious apps. If this feature is turned off, SmartScreen automatically takes over protection from dangerous content. Both security mechanisms are activated when you try to open a file marked with the MotW label.
In August, Elastic Security Labs has already disclosed some details about the CVE-2024-38217 vulnerability related to the processing of LNK files. The attack, known as "LNK Stomping", allows you to bypass the protection of Smart App Control, which normally blocks the launch of untrusted applications.
The LNK Stomping method itself consists in creating files with invalid paths or structures. When you open such a file, Windows Explorer (explorer.exe) automatically changes its formatting, which removes the MotW label and allows the file to pass the security check. Attackers can add a space or period to the path of an executable file (such as «powershell.exe), which can bypass security mechanisms and run the file without warning.
It was Elastic specialists who discovered that the vulnerability had been exploited since at least 2018. For example, several examples of malicious files using this attack mechanism and found in VirusTotal archives date back to this time. Meanwhile, Microsoft acknowledged the problem and confirmed that the vulnerability was fixed in the latest system update.
Thus, even proven protection mechanisms in large products can remain vulnerable for a long time, despite all budgets and high security standards. Hackers don't need a special offer to take advantage of a tempting breach, which means users should never relax and turn off their vigilance.
Source
As part of its recent Patch Tuesday update, which we have already published a separate article about, Microsoft has fixed a zero-day vulnerability in the Windows Smart App Control and SmartScreen functions, which has been used by attackers for the past six years. Let's talk about this security flaw in more detail.
Known as CVE-2024-38217, the vulnerability allowed the bypass of Smart App Control protection mechanisms and the marking of "Mark of the Web" (MotW) files, which made it possible to run untrusted or potentially dangerous applications without security warnings.
As Microsoft explained, in order to successfully exploit the flaw, the attacker only had to place a special file on a controlled server and convince the user to download and open it. This made it possible to interfere with the MotW mechanism, which is responsible for checking downloaded files.
The vulnerability is particularly dangerous because attackers can create malicious files that bypass MotW protection, which can compromise the integrity and availability of security features such as SmartScreen application reputation checks or Windows Attachment Services requests.
Smart App Control in Windows 11 uses Microsoft's cloud services and integrity mechanisms to block potentially malicious apps. If this feature is turned off, SmartScreen automatically takes over protection from dangerous content. Both security mechanisms are activated when you try to open a file marked with the MotW label.
In August, Elastic Security Labs has already disclosed some details about the CVE-2024-38217 vulnerability related to the processing of LNK files. The attack, known as "LNK Stomping", allows you to bypass the protection of Smart App Control, which normally blocks the launch of untrusted applications.
The LNK Stomping method itself consists in creating files with invalid paths or structures. When you open such a file, Windows Explorer (explorer.exe) automatically changes its formatting, which removes the MotW label and allows the file to pass the security check. Attackers can add a space or period to the path of an executable file (such as «powershell.exe), which can bypass security mechanisms and run the file without warning.
It was Elastic specialists who discovered that the vulnerability had been exploited since at least 2018. For example, several examples of malicious files using this attack mechanism and found in VirusTotal archives date back to this time. Meanwhile, Microsoft acknowledged the problem and confirmed that the vulnerability was fixed in the latest system update.
Thus, even proven protection mechanisms in large products can remain vulnerable for a long time, despite all budgets and high security standards. Hackers don't need a special offer to take advantage of a tempting breach, which means users should never relax and turn off their vigilance.
Source
