Windows SmartScreen security has been compromised for years

You know that warning that pops up every time you want to install a new app in Windows? The one that sometimes prevents you from doing it when an app seems a little sketchy? Yeah, it’s busted… and it’s been busted—for at least six years—according to recent security research.

Get Windows 11 Pro for cheap

Windows 11 Pro

Windows Smart App Control (as it’s called in Windows 11) or Windows SmartScreen (as it’s known in Windows 8 and Windows 10) is designed to put up an extra barrier when you get chummy with executable files that are downloaded from unrecognized sources.

But Elastic Security Labs discovered that it’s shockingly easy to work around, letting malicious apps run without the standard check.

The easiest method is called “LNK stomping,” which circumvents the Mark of the Web identifier that’s placed on files by Windows’ built-in security system. It’s possible to create invalid code signatures on JavaScript and MSI files, or simply get around the check by appending a single dot or space to an executable path. It’s a kind of file management shell game that most users wouldn’t spot, but one that’s “trivial” to implement with a small script by hackers and other do-badders.

Elastic Security Labs discovered multiple other ways to bypass SmartScreen and Smart App Control, including reputation hijacking, reputation seeding, and reputation tampering. Technical breakdowns and examples (including some nicely animated GIFs!) are included on the page. The researchers have created an open-source tool to check potentially dangerous files for these workarounds.

These SmartScreen vulnerabilities appear to have been in place since at least 2018, according to BleepingComputer. While that’s disheartening, Microsoft tends to take these kinds of threats seriously once discovered, such as when a Windows update in April shored up some vulnerabilities in the Mark of the Web system.

Keep reading: Is Windows’ built-in security enough for regular users?

You know that warning that pops up every time you want to install a new app in Windows? The one that sometimes prevents you from doing it when an app seems a little sketchy? Yeah, it’s busted… and it’s been busted—for at least six years—according to recent security research.

Get Windows 11 Pro for cheap

Windows 11 Pro

Price When Reviewed:

199.99

Best Prices Today:

$59 at PCWorld Store – Win 11 Pro Upgrade Only |
$79.99 at PCWorld Software Store

Windows Smart App Control (as it’s called in Windows 11) or Windows SmartScreen (as it’s known in Windows 8 and Windows 10) is designed to put up an extra barrier when you get chummy with executable files that are downloaded from unrecognized sources.

But Elastic Security Labs discovered that it’s shockingly easy to work around, letting malicious apps run without the standard check.

The easiest method is called “LNK stomping,” which circumvents the Mark of the Web identifier that’s placed on files by Windows’ built-in security system. It’s possible to create invalid code signatures on JavaScript and MSI files, or simply get around the check by appending a single dot or space to an executable path. It’s a kind of file management shell game that most users wouldn’t spot, but one that’s “trivial” to implement with a small script by hackers and other do-badders.

Elastic Security Labs discovered multiple other ways to bypass SmartScreen and Smart App Control, including reputation hijacking, reputation seeding, and reputation tampering. Technical breakdowns and examples (including some nicely animated GIFs!) are included on the page. The researchers have created an open-source tool to check potentially dangerous files for these workarounds.

These SmartScreen vulnerabilities appear to have been in place since at least 2018, according to BleepingComputer. While that’s disheartening, Microsoft tends to take these kinds of threats seriously once discovered, such as when a Windows update in April shored up some vulnerabilities in the Mark of the Web system.

Keep reading: Is Windows’ built-in security enough for regular users? Read More