Microsoft Patches Critical Windows SmartScreen Bypass Vulnerability Exploited as Zero-Day
Vulnerability Overview
Microsoft recently revealed that a critical SmartScreen bypass vulnerability, exploited as a zero-day by attackers, was patched during the June 2024 Patch Tuesday updates. The vulnerability, tracked as CVE-2024-38213, was used by threat actors to bypass SmartScreen protections, potentially allowing malicious software to be executed without triggering security warnings.
SmartScreen and the Mark of the Web (MotW)
SmartScreen is a security feature introduced with Windows 8, designed to protect users from potentially harmful software by analyzing downloaded files tagged with the Mark of the Web (MotW) label. This feature helps prevent users from unknowingly executing malicious files by displaying warnings when such files are opened.
The Vulnerability and Exploitation
The CVE-2024-38213 vulnerability was a security bypass that allowed attackers to circumvent SmartScreen protections. Although exploiting this flaw required user interaction, making it harder to achieve, it was still actively used in attacks. Specifically, the vulnerability allowed remote, unauthenticated threat actors to exploit the flaw in low-complexity attacks, provided they could convince a user to open a malicious file.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Microsoft acknowledged the vulnerability in a security advisory, stating, “An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience. An attacker must send the user a malicious file and convince them to open it.”
Discovery and Real-World Exploitation
In March 2024, Trend Micro security researcher Peter Girnus discovered that this vulnerability was being exploited in the wild, particularly by the DarkGate malware operators. The discovery was part of an analysis of a campaign where DarkGate operators used a copy-and-paste technique to infect users.
The DarkGate campaign involved exploiting this SmartScreen bypass to deploy malware disguised as legitimate software installers, such as Apple iTunes, Notion, and NVIDIA. During the investigation, Trend Micro’s researchers uncovered how files from WebDAV shares were being copied locally without triggering MotW protections, which led to the discovery of CVE-2024-38213.
This vulnerability was particularly concerning as it was an evolution of a previous SmartScreen bypass, CVE-2024-21412, which was itself a bypass for an even earlier vulnerability, CVE-2023-36025. These vulnerabilities had been leveraged by financially motivated cybercriminals, including the Water Hydra (DarkCasino) hacking group, to spread malware like the DarkMe remote access trojan (RAT).
Trending: Digital Forensics Tool: Elyzer
Patch and Implications
Despite the critical nature of CVE-2024-38213, Microsoft patched the vulnerability in June 2024 but initially failed to include it in the advisory for that month’s security updates. This oversight left many users unaware of the importance of the patch. Trend Micro reported the flaw, and Microsoft’s subsequent patch addressed the security issue, closing the door on this particular exploitation vector.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
