A significant security flaw has been identified in Microsoft's Windows Smart App Control (SAC) and SmartScreen features, allowing attackers to execute applications without triggering standard security warnings. This vulnerability, known as LNK stomping, has been exploited since at least 2018, posing a substantial risk to Windows 11 users.

Background on Smart App Control and SmartScreen

Introduced with Windows 11, Smart App Control is a reputation-based security feature that leverages Microsoft's app intelligence services to assess the safety of applications. It utilizes Windows' code integrity mechanisms to block untrusted or potentially dangerous binaries and applications. SmartScreen, its predecessor, was designed to protect against malicious content by evaluating the reputation of files and websites. Both features are activated when users attempt to open files marked with a "Mark of the Web" (MotW) label, indicating potential risks.

The LNK Stomping Vulnerability

The LNK stomping vulnerability involves creating Windows shortcut (LNK) files with non-standard target paths or internal structures. When a user clicks on such a file, Windows Explorer (explorer.exe) automatically adjusts the LNK file to its canonical format. This process inadvertently removes the MotW label from downloaded files before security checks are performed, allowing malicious applications to run without triggering security warnings. Elastic Security Labs discovered that this flaw has been exploited in the wild for years, with samples dating back over six years. (elastic.co)

Implications and Impact

The exploitation of this vulnerability enables attackers to bypass critical security measures, potentially leading to the execution of malicious software without user consent or awareness. This poses a significant threat to user safety and system integrity, as it undermines the effectiveness of built-in security features designed to protect against untrusted applications. The persistence of this flaw since 2018 underscores the challenges in securing operating systems against sophisticated attack vectors.

Technical Details

To exploit the LNK stomping vulnerability, attackers craft LNK files with unconventional target paths or internal structures. For example, appending a dot or space to the target executable path (e.g., "powershell.exe.") or creating an LNK file with a relative path like ".\target.exe" can trigger the vulnerability. When the user clicks the link, Windows Explorer identifies the correct executable, updates the file on disk (removing the MotW label), and launches the target application, bypassing security checks. (elastic.co)

Mitigation and Recommendations

Microsoft has acknowledged the issue and indicated that it may be addressed in a future Windows update. In the meantime, users are advised to exercise caution when opening files from untrusted sources and to ensure that their systems are up to date with the latest security patches. Implementing additional security measures, such as endpoint protection solutions and regular system audits, can help mitigate the risks associated with this vulnerability.

These articles provide further insights into the vulnerabilities within Windows Smart App Control and SmartScreen, highlighting the ongoing challenges in cybersecurity and the importance of proactive security measures.