Friend
Professional
- Messages
- 2,670
- Reaction score
- 885
- Points
- 113
The study reveals vulnerabilities in Windows security mechanisms since 2018.
Cybersecurity experts have discovered serious flaws in the work of Microsoft Windows ' defense mechanisms — Smart App Control (SAC) and SmartScreen. The identified vulnerabilities allow attackers to break into target systems without triggering warnings and with minimal user interaction.
SAC, introduced in Windows 11 — is a cloud-based security system designed to block malicious and untrusted applications from running. In cases where SAC cannot make an unambiguous conclusion about the program, it checks for a valid digital signature.
SmartScreen, introduced in Windows 10, performs a similar function, evaluating the security of websites and uploaded files. It analyzes the reputation of URLs and applications, checking downloaded programs and their digital signatures. If a URL, file, or app has a well-established reputation, users do not see warnings, and the lack of reputation leads to marking the object as potentially dangerous.
It is worth noting that when SAC is activated, Defender SmartScreen is disabled.
Researchers at Elastic Security Labs have identified a number of fundamental design flaws in both systems that can be exploited to sneak into the system.
One of the simplest ways to bypass security is to sign a malicious application with a valid Extended Verification Certificate (EV). This technique is already actively used by cybercriminals, which was recently demonstrated by the example of the HotPage malware.
Experts have identified several other methods of circumventing security:
Of particular concern is the fact that traces of the use of LNK Stomping equipment were discovered back in February 2018. This indicates that attackers have known about this method of bypassing security for several years.
The researchers emphasize that while reputation-based protection systems are effective against mass malware, they have vulnerabilities that can be exploited by experienced hackers. Security experts recommend that you do not rely solely on the built-in security features of the operating system and carefully check all downloaded files.
Source
Cybersecurity experts have discovered serious flaws in the work of Microsoft Windows ' defense mechanisms — Smart App Control (SAC) and SmartScreen. The identified vulnerabilities allow attackers to break into target systems without triggering warnings and with minimal user interaction.
SAC, introduced in Windows 11 — is a cloud-based security system designed to block malicious and untrusted applications from running. In cases where SAC cannot make an unambiguous conclusion about the program, it checks for a valid digital signature.
SmartScreen, introduced in Windows 10, performs a similar function, evaluating the security of websites and uploaded files. It analyzes the reputation of URLs and applications, checking downloaded programs and their digital signatures. If a URL, file, or app has a well-established reputation, users do not see warnings, and the lack of reputation leads to marking the object as potentially dangerous.
It is worth noting that when SAC is activated, Defender SmartScreen is disabled.
Researchers at Elastic Security Labs have identified a number of fundamental design flaws in both systems that can be exploited to sneak into the system.
One of the simplest ways to bypass security is to sign a malicious application with a valid Extended Verification Certificate (EV). This technique is already actively used by cybercriminals, which was recently demonstrated by the example of the HotPage malware.
Experts have identified several other methods of circumventing security:
- Reputation capture — using applications with a good reputation to bypass the system, such as JamPlus or well-known AutoHotkey interpreters.
- Reputation seeding is the use of an apparently harmless file controlled by an attacker that runs malicious code under certain conditions or after a certain time has elapsed.
- Reputation substitution-modification of parts of a legitimate executable file to inject malicious code without losing the overall positive reputation.
- LNK Stomping-exploiting a vulnerability in Windows shortcut processing (LNK) to remove a security label and bypass SAC protection. This method involves creating LNK files with non-standard parameters, which are modified by the system when opened, which leads to the removal of the security label before performing checks.
Of particular concern is the fact that traces of the use of LNK Stomping equipment were discovered back in February 2018. This indicates that attackers have known about this method of bypassing security for several years.
The researchers emphasize that while reputation-based protection systems are effective against mass malware, they have vulnerabilities that can be exploited by experienced hackers. Security experts recommend that you do not rely solely on the built-in security features of the operating system and carefully check all downloaded files.
Source
