Exploit for Critical Windows Defender Bypass Goes Public

Threat actors were actively exploiting CVE-2023-36025 in Windows SmartScreen as a zero-day vulnerability before Microsoft patched it in November.

3 Min Read
Concept illustration of a vulnerability exploit
Source: tomfallen via Shutterstock

A proof-of-concept exploit (PoC) has become available for a critical zero-day vulnerability in the Windows SmartScreen technology.

Microsoft issued a patch for the issue in its November Patch Tuesday security update, but the bug was already under active exploit at the time as a zero-day. Now, the PoC further heightens the need for organizations to address the bug, if they haven't done so already.

Security Bypass for Getting Past Defender

CVE-2023-36025 is a security bypass flaw that gives attackers a way to sneak malicious code past Windows Defender SmartScreen checks without triggering any alerts. To exploit the flaw, an attacker would need to get a user to click on a maliciously crafted Internet shortcut (.URL) or a link pointing to such a file.

Microsoft has identified the bug as involving low attack complexity, requiring only low privileges and exploitable over the Internet. The vulnerability is present in Windows 10, Windows 11, and in Windows Server 2008 and later releases. Several security researchers earlier this month had described CVE-2023-36025 as being among the higher priority bugs to fix from Microsoft's November update.

The recent release of a PoC Internet shortcut file that an attacker could use to exploit CVE-2023-36025 is sure to heighten concerns around the vulnerability.

The script basically shows how an attacker could generate a seemingly legitimate looking but malicious .URL file and distribute it via a phishing email. "This .URL file points to a malicious website but could be presented as something legitimate," the researcher who wrote the attack script noted. "An attacker could deliver this crafted .URL file via phishing emails or through compromised websites."

A user tricked into clicking on the file would land directly on the malicious site or execute malicious code without receiving any of the usual warnings from SmartScreen.

"The exploitation of CVE-2023-36025 can lead to successful phishing attacks, malware distribution, and other cybersecurity threats," the researcher said.

APT Group TA544 Among Those Abusing Flaw

Among those targeting CVE-2023-36025 is TA544, a financially motivated, advanced persistent threat (APT) actor that Proofpoint and others have been tracking since at least 2017. Over the years, the threat group has used a variety of malware tools in campaigns targeting organizations in western Europe and Japan. But it is best known for distributing the Ursnif (aka Gozi) banking Trojan, and more recently a sophisticated second-stage downloader dubbed WikiLoader.

This week, a researcher at Proofpoint reported observing TA544 abusing CVE-2023-36025 in a campaign involving Remcos, a remote access Trojan that various threat actors have used over the years to remotely control and monitor compromised Windows devices. For the present campaign, the threat actor has established a unique webpage with links that direct users to a .URL file containing a path to a virtual hard disk (.vhd) file or to a .zip file hosted on a compromised website. CVE-2023-36025 gives the attackers a way to automatically mount the VHD on systems just by opening the .URL file, the researcher said.

"SmartScreen is used by Windows to prevent phishing attacks or access to malicious websites and the download of untrusted or potentially malicious files," Kev Breen, senior director of threat research at Immersive Labs, had noted when Microsoft first disclosed the SmartScreen vulnerability earlier this month. "This vulnerability suggests that a specially crafted file could be used by attackers to bypass this check, reducing the overall security of the operating system."

CVE-2023-36025 is the third zero-day bug in SmartScreen that Microsoft has disclosed so far this year. In February, researchers at Google found a threat actor abusing a previously unknown SmartScreen vulnerability to drop Magniber ransomware on target systems. Microsoft assigned the vulnerability as CVE-2023-24880 and issued a patch for it in March.

In July, the company patched CVE-2023-32049, a security bypass vulnerability in SmartScreen that threat actors were already actively exploiting at the time of patching.

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights