A working proof-of-concept exploit has become available for a critical zero-day vulnerability in Windows SmartScreen.
During this month Patch Tuesday security update, Microsoft has released a patch, but the bug was already under active exploit at the time as a zero-day. Now, the PoC further heightens the need for organizations to address the bug if they haven’t done so already.
CVE-2023-36025 is a security bypass flaw that gives attackers a way to sneak malicious code past Windows Defender SmartScreen checks without triggering any alerts. To exploit the flaw, an attacker would need to get a user to click on a maliciously crafted Internet shortcut (.URL) or a link pointing to such a file.
Microsoft has identified the bug as involving low attack complexity, requiring only low privileges and exploitation over the Internet. The vulnerability is present in almost all Windows OS estate. Several security researchers earlier this month had described CVE-2023-36025 as being among the higher priority bugs to fix from Microsoft’s November update.
The recent release of a PoC Internet shortcut file that an attacker could use to exploit CVE-2023-36025 is sure to heighten concerns around the vulnerability.
A user tricked into clicking on the file would land directly on the malicious site or execute malicious code without receiving any of the usual warnings from SmartScreen.
CVE-2023-36025 is targeted by TA544. Proofpoint and others have been tracking since at least 2017. Over the years, the threat group has used a variety of malware tools in campaigns targeting organizations in western Europe and Japan. But it is best known for distributing the Ursnif (aka Gozi) banking Trojan, and more recently, a sophisticated second-stage downloader dubbed WikiLoader.
In this campaign, the threat actor has established a unique webpage with links that direct users to a .URL file containing a path to a (.vhd) file or to a .zip file hosted on a compromised website. CVE-2023-36025 gives the attackers a way to automatically mount the VHD on systems just by opening the .URL file.
CVE-2023-36025 is the third zero-day bug in SmartScreen that Microsoft has disclosed so far this year. In February, researchers at Google found a threat actor abusing a previously unknown SmartScreen vulnerability to drop Magniber ransomware on target systems. Microsoft assigned the vulnerability as CVE-2023-24880 and issued a patch for it in March.
In July, the company patched CVE-2023-32049, a security bypass vulnerability in SmartScreen that threat actors were already actively exploiting at the time of patching.
