Elastic Security Labs has uncovered a significant security flaw in Windows, specifically affecting SmartScreen and Smart App Control (SAC). This vulnerability, known as "LNK Stomping," has been exploited for the past six years, allowing malicious applications to bypass security alerts. The issue stems from a bug in how Windows handles shortcut files (.LNK), which can strip away the Mark of the Web (MotW) tag—essential for SmartScreen and SAC to identify potentially harmful software. While Microsoft has been informed, no immediate patch has been promised, leaving a critical gap for defenders.

The LNK Stomping technique involves manipulating the internal structure of Windows shortcut files (.LNK) to remove the MotW tag. By introducing minor errors in the shortcut's target path, such as appending a period or space, Windows Explorer corrects these errors, thereby stripping the MotW tag. This manipulation allows malicious files to bypass SmartScreen and SAC, which rely on the MotW tag to detect threats. Research by Elastic Security Labs identified samples of this technique dating back over six years, demonstrating its ongoing use.

Technical Keypoints:

• LNK Stomping: Exploits a flaw in .LNK file handling to bypass MotW.
• Mark of the Web (MotW): Digital tag used by SmartScreen and SAC to identify potentially dangerous files.
• Error Induction: Minor target path errors in .LNK files force Windows Explorer to correct the path, removing the MotW tag.
• Research Findings: Vulnerability identified in VirusTotal samples dating back six years.
• Other Bypass Techniques: Include Reputation Hijacking, Reputation Seeding, and Reputation Tampering.

Potential Mitigations:

• Detection Engineering: Adjust detection mechanisms to cover gaps in SmartScreen and SAC.
• Security Awareness: Educate users and administrators about recognizing potential threats and unusual file behaviours.
• Patch Monitoring: Stay updated with Microsoft’s patch releases and implement fixes as they become available.
• Enhanced Scanning: Implement additional security tools that do not solely rely on MotW for threat detection.

The discovery of the LNK Stomping technique highlights a serious and longstanding vulnerability in Windows security. With malicious apps managing to evade detection for over six years, it underscores the need for improved detection strategies and robust mitigation measures. While Microsoft has been notified of the issue, security professionals must adapt their defences in the interim and remain vigilant for updates that address this critical flaw.

Source and further reading.

Bad apps bypass Windows security alerts for six years using newly unveiled trick. (n.d.). Newsfusion. https://go.newsfusion.com/security/item/2340689