A critical security gap in Windows SmartScreen has been sealed by Microsoft after hackers exploited it for several months. The flaw, tagged as CVE-2024-38213, allowed malicious actors to bypass SmartScreen's protective measures, intended to shield users from harmful software.
Discovery and Exploitation
Trend Micro's Peter Girnus – via Bleeping Computer – discovered the flaw, witnessing its abuse by cybercriminals to deploy malware masquerading as legitimate software like Apple iTunes and NVIDIA installers. Although exploitation required user interaction, targeted attacks made the flaw notably effective.
Microsoft included a fix for this issue in its June 2024 Patch Tuesday update, despite initial omissions in June and July's security updates. It seems the flaw was a piece of a larger scheme by DarkGate malware operators, previously known for exploiting another SmartScreen vulnerability, CVE-2024-21412.
Technical Insights and Damage
CVE-2024-38213 allowed the circumvention of the Mark of the Web (MotW) label, a critical indicator used by SmartScreen to flag potentially dangerous files. Attackers leveraged this oversight to entice users into opening harmful files without SmartScreen interference. The exploitation involved files from WebDAV shares, manipulating them through copy-and-paste actions.
Trend Micro's Zero Day Initiative (ZDI) reported the DarkGate campaign's escalating activities, referencing previous zero-day exploits like CVE-2024-21412. The operation saw malware disguised as genuine software installers infiltrate user systems. Microsoft already patched that issue in February.
Continued Security Issues
SmartScreen vulnerabilities have consistently posed threats. Earlier, the Water Hydra group used CVE-2024-21412 in malware campaigns targeting stock trading and forex forums via the DarkMe trojan. Moreover, Elastic Security Labs identified a design flaw in Windows Smart App Control and SmartScreen dating back to 2018, enabling hidden program executions.
Microsoft continues to tackle these vulnerabilities with continuous updates. The recent August 2024 Patch Tuesday addressed nine zero-day flaws, including six actively exploited vulnerabilities.