Microsoft Patches Long-Exploited Web Tagging (MOTV)/LNK Stomping Vulnerability

Microsoft has addressed a critical vulnerability in Microsoft Defender's Application Control and SmartScreen with its latest September 2024 security update. This flaw, actively exploited by hackers since at least 2018, compromised the security of Windows users.

A security feature in Windows NT automatically tags files downloaded from the internet to prompt a security warning when opened. However, hackers discovered a workaround to bypass this safeguard, allowing files from the web to be opened without any security alerts, exploiting this with relative ease.

In a recent security bulletin, Microsoft explained that attackers could host malicious files on a controlled server and trick users into downloading them, bypassing the Web Tagging feature, potentially compromising the integrity and availability of security functions like SmartScreen filtering and the older Windows Attachment Manager security prompts.

This vulnerability, designated CVE-2024-38217 and also known as LNK Stomping, was uncovered last month by Elastic Security. It exploits a flaw within the LNK shortcut specification, allowing attackers to create malicious files that manipulate Windows Explorer into incorrectly processing file specifications, effectively removing the web tagging attribute.

Security researchers have noted that this vulnerability has been exploited for years, with evidence of its use dating back to 2018 on VirusTotal, indicating a six-year exploitation period.

Following a report to Microsoft, the company acknowledged the issue and has now rectified it in the latest Windows version with the September 2024 security update.