LNK Stomping: New Attack Bypasses Smart App Control via CVE-2024-38217

As part of its recent Patch Tuesday update, which we have already covered in a separate article, Microsoft addressed a zero-day vulnerability in the Windows Smart App Control and SmartScreen features, which attackers had exploited for the past six years. Let us delve deeper into this security flaw.

Known as CVE-2024-38217, the vulnerability allowed threat actors to bypass the protective mechanisms of Smart App Control and the “Mark of the Web” (MotW) label, enabling the execution of untrusted or potentially dangerous applications without security warnings.

According to Microsoft, an attacker simply needed to place a specially crafted file on a controlled server to exploit this vulnerability and convince a user to download and open it. This manipulation would interfere with the MotW mechanism responsible for verifying downloaded files.

The vulnerability is particularly dangerous because attackers could craft malicious files that evade MotW protections, compromising the integrity and availability of security functions such as SmartScreen application reputation checks or Windows Attachment Services prompts.

Smart App Control in Windows 11 uses Microsoft’s cloud services and integrity-checking mechanisms to block potentially malicious applications. If this feature is disabled, SmartScreen automatically assumes the responsibility of safeguarding against dangerous content. Both security mechanisms activate when a file marked with the MotW label is opened.

In August, Elastic Security Labs revealed certain details regarding CVE-2024-38217, specifically concerning the handling of LNK files. An attack method, known as “LNK Stomping,” enables bypassing Smart App Control, which under normal circumstances would block untrusted applications from running.

The LNK Stomping technique involves creating files with incorrect paths or structures. When such a file is opened, Windows Explorer (explorer.exe) automatically alters its formatting, removing the MotW label and allowing the file to pass security checks. Attackers can add a space or a dot in the path to the executable (for instance, “powershell.exe”), which circumvents the security mechanisms and allows the file to run without triggering warnings.

Elastic researchers discovered that this vulnerability had been exploited as early as 2018. Several malicious file samples using this attack method, found in VirusTotal archives, date back to this period. Meanwhile, Microsoft has acknowledged the issue and confirmed that the vulnerability was fixed in the latest system update.

Thus, even well-established security mechanisms in major products can remain vulnerable for an extended period, despite substantial budgets and high security standards. Hackers need little incentive to exploit such enticing flaws, which means users should never lower their guard or dismiss vigilance.