CVE-2024-21412 is a significant security flaw discovered in early 2024. This blog post outlines what this vulnerability is, how it can be exploited, and how you can protect your organisation from this and similar vulnerabilities.
What is CVE-2024-21412?
CVE-2024-21412 is a security feature bypass vulnerability in Windows Defender SmartScreen.
SmartScreen typically evaluates the safety of downloaded files and displays warnings for unrecognised or suspicious ones. But this vulnerability allows attackers to circumvent warnings and install malware on unsuspecting systems.
Which systems are affected?
CVE-2024-21412 impacts a broad range of Windows systems, including:
- Windows 10 (various versions)
- Windows 11 (various versions)
- Windows Server 2019 and later versions
How can this vulnerability be used against your systems?
Attackers exploited CVE-2024-21412 by crafting a Windows Internet shortcut (.url file) that pointed to another .url file on a remote SMB share. This technique tricked the system into automatically executing the file at the final location, bypassing SmartScreen's security warnings.
Researchers even created a proof-of-concept exploit, demonstrating how easy the vulnerability is to exploit.
Attackers also abused the Microsoft Search Protocol (MSP) to deceive users. They crafted malicious links that appeared to point to local files, but in reality, connected to an attacker-controlled server. This tricked users into opening malicious files without realising they were downloading them from an external source.
How to protect your organisation
Microsoft addressed CVE-2024-21412 with a patch released in mid-February 2024. Installing this patch is crucial to mitigate the risk associated with this vulnerability.
In addition to patching, organisations should implement comprehensive monitoring and detection systems to identify and mitigate threats across all stages of an attack. This includes using intrusion detection systems, firewalls, and security information and event management (SIEM) tools to monitor network traffic and system activity for suspicious behaviour.
Organisations should also consider employing advanced real-time behaviour analytics to monitor unusual activity and identify potential threats, even when they bypass traditional security measures. This involves analysing user and system behaviour patterns to detect anomalies that could indicate an attack.
Conclusion
CVE-2024-21412 highlights the importance of cybersecurity awareness and proactive measures, which can be mitigated with improved organisational cyber resilience and regular patching policies.
As always, staying informed about potential vulnerabilities is a crucial step in reducing the risk of your organisation being attacked.
Recommended content
To learn how to detect this vulnerability in a sandboxed environment, check out the following lab: CVE-2024-21412 (SmartScreen Bypass) – Elastic Log Analysis. In this lab, you'll use ElasticSearch to detect the presence of malicious URL files in logs.
Share your thoughts
Have you seen this vulnerability being exploited in the wild? Have you patched your systems yet? Share your thoughts by commenting in the thread below.
Immerser