Photo: Wachiwit / Shutterstock.com
Microsoft has patched a significant security vulnerability in its Windows SmartScreen feature. Cybercriminals have exploited this vulnerability as a zero-day to bypass protective measures and execute malicious attacks. The flaw, identified as CVE-2024-38213, was addressed during the June 2024 Patch Tuesday, but its severity and details were only recently disclosed.
SmartScreen is a protective measure in the Windows operating system that was first implemented in Windows 8. This feature aims to safeguard users from potentially dangerous software by applying a special tag to files obtained from the Internet, known as the ‘Mark of the Web’ (MotW).
When a user tries to open a file with this tag, the system displays a security alert, cautioning them about possible risks associated with the file.
However, the newly identified vulnerability allowed attackers to bypass this critical layer of defence. According to Microsoft’s security advisory, the flaw could be remotely exploited by unauthenticated attackers, though it required user interaction — specifically, convincing the victim to open a malicious file.
“An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience,” Microsoft stated in the advisory. “An attacker must send the user a malicious file and convince them to open it.”
This security flaw, despite requiring user involvement, was already being exploited by malicious actors as early as March 2024. Cybersecurity experts found that these malicious actors were part of a broader operation conducted by those behind the DarkGate malware.
After experts notified Microsoft about the flaw, the company fixed it in the June update.
However, the details of the vulnerability were delayed in communicating to the public. Microsoft inadvertently omitted the advisory from the June and July security updates, only disclosing the full scope of the issue in August.
The attacks identified in March were part of a broader campaign by the DarkGate group, known for leveraging zero-day vulnerabilities to infiltrate systems. In this instance, the attackers exploited the SmartScreen bypass (CVE-2024-21412) to deliver malicious payloads disguised as legitimate software installers, including those for Apple iTunes, Notion, and Nvidia.
This is not the first time cybercriminals have targeted Windows SmartScreen, reports BleepingComputer. The CVE-2024-21412 flaw bypassed a previous SmartScreen flaw (CVE-2023-36025), which was exploited to deploy Phemedrone malware in late 2023.
The same DarkGate group has been consistently active, using these vulnerabilities to target specific communities, such as stock training Telegram channels and forex trading forums, with the DarkMe remote access trojan (RAT).
Adding to the complexity, a design flaw in Windows Smart App Control and SmartScreen allowed attackers to launch programs without triggering security warnings since at least 2018. While Microsoft has acknowledged the issue, it has yet to confirm when a fix might be implemented.
In the News: Proton VPN extension is now free for Chrome and Firefox-based browsers