August 5, 2024 By Sergiu Gatlan
A design flaw in Windows Smart App Control and SmartScreen that enables attackers to launch programs without triggering security warnings has been under exploitation since at least 2018.
Smart App Control is a reputation-based security feature that uses Microsoft's app intelligence services for safety predictions and Windows' code integrity features to identify and block untrusted (unsigned) or potentially dangerous binaries and apps.
It replaces SmartScreen in Windows 11, a similar feature introduced with Windows 8 designed to protect against potentially malicious content (SmartScreen will take over when Smart App Control is not enabled). Both features are activated when the user attempts to open files tagged with a Mark of the Web (MotW) label.
As Elastic Security Labs discovered, a bug in the handling of LNK files (dubbed LNK stomping), can help threat actors bypass Smart App Control security controls designed to block untrusted applications.
LNK stomping involves creating LNK files with non-standard target paths or internal structures. When a user clicks on such a file, explorer.exe automatically modifies the LNK files to use the correct canonical formatting.