CVE-2023-24880

What is Windows SmartScreen?

Windows SmartScreen is a cloud-based reputation service integrated into Windows Explorer and Microsoft Edge that checks files and URLs against a reputation database when a user attempts to execute a downloaded file or visit a web page. Files marked with the Mark of the Web (MOTW — an NTFS alternate data stream indicating internet origin) trigger SmartScreen checks at execution time: if the file's hash or publisher is unknown or has a poor reputation, Windows displays a warning dialog that strongly discourages execution. SmartScreen is a critical last-resort defense against malware delivered via phishing and drive-by downloads, operating after a file is already on disk. Bypassing SmartScreen allows malware to execute without triggering this warning, significantly increasing the success rate of phishing campaigns.

Overview

CVE-2023-24880 is a security feature bypass vulnerability (CWE-863) in Windows SmartScreen that allows an attacker to craft a malicious file that evades Mark of the Web defenses and executes without triggering SmartScreen reputation warnings. The bypass involves crafting a file — specifically an MSI installer with an invalid Authenticode signature — that Windows SmartScreen incorrectly treats as trusted, suppressing the warning dialog. Microsoft patched CVE-2023-24880 in the March 2023 Patch Tuesday as an actively exploited zero-day — simultaneously added to the CISA KEV catalog on March 14, 2023. The ransomwareUse: true designation reflects Magniber ransomware's active use of this bypass for malware delivery.

Affected Versions

Technical Details

The SmartScreen bypass (CWE-863 — Incorrect Authorization) involves a flaw in how SmartScreen evaluates the Authenticode digital signature of executable files during the reputation check. Microsoft's research identified that crafting an MSI (Windows Installer) package with an invalid or malformed Authenticode signature caused SmartScreen to:

• Treat the signature as "present" (bypassing the "unsigned executable from internet" warning path)
• Not verify the signature's validity against a trusted root
• Skip or suppress the reputation warning that would normally block unsigned or unknown-publisher files from executing

The result is that the malicious MSI can be delivered via a phishing email or web download, carried with the MOTW zone identifier marking it as internet-sourced, but executes without a SmartScreen warning when the user double-clicks it — appearing to Windows as if it carries a valid code signature.

The AV:L/PR:N/UI:R/I:L/A:L CVSS score reflects the low-overall-impact assessment for the bypass alone — the bypass itself doesn't execute code or access data, but it removes a protective layer that prevents a user from running a malicious file.

Discovery

CVE-2023-24880 was discovered by Benoit Sevens and Vlad Stolyarov of Google's Threat Analysis Group (TAG), who identified it being actively exploited in the Magniber ransomware delivery chain. They reported it to Microsoft, which patched it in the March 2023 Patch Tuesday. The simultaneous KEV addition on Patch Tuesday confirms the zero-day status and active exploitation.

Exploitation Context

Magniber ransomware — a ransomware family predominantly targeting South Korean and East Asian users — used CVE-2023-24880 to bypass SmartScreen and deliver ransomware without triggering Windows security warnings. The exploitation workflow:

1. The victim receives a phishing email or visits a compromised/malicious website containing a link to a malicious .msi file
2. The victim downloads and double-clicks the MSI file
3. SmartScreen fails to warn the user due to CVE-2023-24880's bypass
4. The MSI executes and installs Magniber ransomware, encrypting the victim's files

The bypass was particularly effective because users have been trained to look for the SmartScreen warning as a safety signal — its absence provides false assurance that the file is safe. CVE-2023-24880 is part of a series of SmartScreen and MOTW bypasses exploited in 2022–2023, including CVE-2022-44698 and CVE-2023-36584, reflecting sustained attacker investment in circumventing this defensive layer.

Remediation

1. Apply the March 2023 Windows cumulative update — patches CVE-2023-24880 in SmartScreen.
2. Enable SmartScreen and ensure it is not disabled — verify SmartScreen is enabled via Windows Security settings or group policy; it must not be disabled by end users or system administrators.
3. Enable Attack Surface Reduction (ASR) rules — rules that block untrusted and unsigned processes from running, and that block executable content from email clients and web clients, provide defense-in-depth against malware delivery.
4. Deploy application allowlisting — Windows Defender Application Control (WDAC) or AppLocker policies can restrict which MSI packages and executables are permitted to run, regardless of SmartScreen state.
5. User awareness training — educate users that even when no security warning appears, unsolicited downloads or unexpected installer files should not be executed; the absence of a SmartScreen warning is not sufficient to confirm file safety.