You know that warning that pops up every time you want to install a new app in Windows? The one that sometimes prevents you from doing it when an app seems a little sketchy? Yeah, it’s busted… and it’s been busted—for at least six years—according to recent security research.
Windows Smart App Control (as it’s called in Windows 11) or Windows SmartScreen (as it’s known in Windows 8 and Windows 10) is designed to put up an extra barrier when you get chummy with executable files that are downloaded from unrecognized sources.
But Elastic Security Labs discovered that it’s shockingly easy to work around, letting malicious apps run without the standard check.
The easiest method is called “LNK stomping,” which circumvents the Mark of the Web identifier that’s placed on files by Windows’ built-in security system. It’s possible to create invalid code signatures on JavaScript and MSI files, or simply get around the check by appending a single dot or space to an executable path. It’s a kind of file management shell game that most users wouldn’t spot, but one that’s “trivial” to implement with a small script by hackers and other do-badders.
Elastic Security Labs discovered multiple other ways to bypass SmartScreen and Smart App Control, including reputation hijacking, reputation seeding, and reputation tampering. Technical breakdowns and examples (including some nicely animated GIFs!) are included on the page. The researchers have created an open-source tool to check potentially dangerous files for these workarounds.
These SmartScreen vulnerabilities appear to have been in place since at least 2018, according to BleepingComputer. While that’s disheartening, Microsoft tends to take these kinds of threats seriously once discovered, such as when a Windows update in April shored up some vulnerabilities in the Mark of the Web system.
Keep reading: Is Windows’ built-in security enough for regular users?
Author: Michael Crider, Staff Writer, PCWorld
Michael is a 10-year veteran of technology journalism, covering everything from Apple to ZTE. On PCWorld he's the resident keyboard nut, always using a new one for a review and building a new mechanical board or expanding his desktop "battlestation" in his off hours. Michael's previous bylines include Android Police, Digital Trends, Wired, Lifehacker, and How-To Geek, and he's covered events like CES and Mobile World Congress live. Michael lives in Pennsylvania where he's always looking forward to his next kayaking trip.