Microsoft recently had a pretty toxic relationship with Office Macros. The saga consisted of first blocking, then unblocking, and finally re-blocking the potentially harmful feature in Office. However, threat actors are not sleeping it off and the new tactics, techniques, and procedures (TTPs) include injecting malware into ISOs, LNKs, and RAR files, among others.
Microsoft"s David Weston, the Vice President of Enterprise and OS Security at Microsoft, took to Twitter yesterday to announce that the company has now improved the blocking capabilities of the Smart App Control (SAC) utility in Windows 11. He stated that SAC can now also block ISO and LNK files with the mark of the web (MOTW).
Windows 11 with smart app control blocks iso and lnk files that have mark of the web just like Macros. https://t.co/mfFCQMv6uf
— David Weston (DWIZZZLE) (@dwizzzleMSFT) August 2, 2022
However, SAC is actually capable of much more as security researcher Will Dormann found out. Alongside ISO and LNK, Smart App Control can now also block IMG, VDH and VHDX file types.
Yeah, IMG is also protected. As are VHD and VHDX files. pic.twitter.com/upbkkArFeZ
— Will Dormann (@wdormann) August 2, 2022
And the list keeps growing as BleepingComputer notes that the following file types are also blocked:
- .appref-ms
- .bat
- .cmd
- .chm
- .cpl
- .js,
- .jse
- .msc
- .msp
- .reg
- .vbe
- .vbs
- .wsf
Not every potentially dangerous file type is on the blocklist though, at least not yet, as Dormann noticed that the .diagcabb file, which was recently used in the MSDT "DogWalk" vulnerability stays unblocked.
However, .diagcab files (e.g. used by "DogWalk") are NOT blocked.
— Will Dormann (@wdormann) August 3, 2022
It would be nice to know a definitive list of what"s blocked. pic.twitter.com/Jy5OoNaA0a
When asked about the matter, Microsoft"s Jeffery Sutherland says that a full list of all restricted file extensions will be made available soon.
Yes we plan to document the blocked extension list and will be posting that topic a bit closer to general availability for the release. We also will be updating the “Signed and Reputable” template in the WDAC wizard to match the Smart App Control WDAC XML
— Jeffrey Sutherland (@j3ffr3y1974) August 2, 2022
For now, Smart App Control is available to Windows 11 22H2 Insiders who are running new installs.