The same crew beat the same defense twice in three months. The patch was the problem.

In December 2022, Microsoft patched a SmartScreen bypass, CVE-2022-44698, that the Magniber ransomware crew was using to deliver malware without a security warning. Three months later, the same crew was defeating the same defense again, this time with CVE-2023-24880. Google’s Threat Analysis Group, which found both, was blunt about why: the first patch fixed only a single aspect of the bug rather than the root cause, so the attackers simply found a new variant. This is the cleanest case study you’ll find for a specific, expensive failure mode: patching the symptom instead of the cause, and watching the same adversary walk back through the door.

What the bug is

CVE-2023-24880 is a SmartScreen security-feature bypass (CWE-863) that evades Mark-of-the-Web (MotW), the tag Windows attaches to files from the internet to trigger a warning. The technique: deliver an MSI installer signed with a malformed, invalid Authenticode signature. The bad signature made SmartScreen error out in a way that skipped the warning dialog entirely, so a downloaded, internet-flagged MSI ran with no prompt. Microsoft patched it on March 14, 2023, and CISA added it to the Known Exploited Vulnerabilities catalog the same day with the ransomware flag. TAG counted over 100,000 downloads of the malicious MSI files since January 2023, with more than 80% landing on users in Europe.

For the broader point about why SmartScreen bypasses keep happening and why you shouldn’t lean on the prompt, see the companion piece on CVE-2024-21412. This entry is about something narrower and arguably more important: patch quality.

Symptom versus root cause

CVE-2022-44698 and CVE-2023-24880 are, functionally, the same vulnerability: a malformed signature defeating SmartScreen’s MotW check. Magniber used the first variant with JScript files. When Microsoft patched it, the fix closed that specific path, the particular way that particular malformation was handled, without addressing the underlying weakness in how SmartScreen reacts when signature validation errors out. So the attackers changed the file type to MSI, used a different malformation, and the root weakness, still present, let them through again.

That’s the anatomy of a narrow patch. It makes the proof-of-concept stop working, the ticket close, and the metric improve, while leaving the actual flaw intact for anyone willing to find the next variant. And the people most willing to find the next variant are precisely the ones who were using the first one, because they already understand the bug and have the motivation. A symptom-level patch against a determined adversary isn’t a fix; it’s a brief inconvenience.

The lesson generalizes well beyond SmartScreen, and it cuts two ways, for vendors and for the defenders consuming their patches:

• A patch that stops the PoC is not necessarily a patch that fixes the bug. When a fix is suspiciously narrow, or when the same researcher or actor returns months later with a “new” CVE that smells like the old one, treat the underlying class as still-live and don’t assume the door is closed.
• Watch for variant CVEs against the same component and the same actor. A second bypass of the same defense by the same crew is a strong signal that the first fix was symptom-level. CVE-2023-24880 following CVE-2022-44698, both Magniber, both SmartScreen, is the textbook pattern.
• Root-cause fixes are the ones that actually retire a threat. The SmartScreen bypasses that genuinely held were the ones that changed behavior fundamentally; the ones that patched a specific malformation invited the next.

What to do

• Apply the March 2023 update, and stay current, since SmartScreen bypasses have continued to appear and each fix is worth taking.
• Don’t treat SmartScreen as a load-bearing control. Given the demonstrated history of narrow fixes and repeat bypasses, layer defenses that don’t depend on the MotW prompt firing: application control (WDAC/AppLocker), ASR rules, and blocking risky installer and script types delivered from the internet. MSI and JScript files arriving by download or email are the delivery vehicles here.
• Track the lineage of the bugs you patch. When a CVE is described as a variant or bypass of an earlier one, flag the whole class for extra scrutiny rather than assuming the latest patch is comprehensive.
• Hunt for the delivery pattern. Internet-downloaded MSI files executing without prompts, and the Magniber post-execution behavior, are the signals; the absence of a SmartScreen warning is not evidence of safety.

The reframe is for how you read a patch. A fix that makes the exploit stop working answers “did the symptom go away,” not “is the vulnerability gone,” and against a motivated attacker only the second question matters. CVE-2023-24880 is the proof: Microsoft patched, Magniber adapted, and the same defense fell again in three months because the root cause was never touched. When you see a narrow fix or a repeat offender, assume the class is still open and defend accordingly. We track variant and bypass entries with extra attention, because they’re the bugs where “patched” was the most misleading.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2023-24880 — 2023-03-14
• Microsoft MSRC: CVE-2023-24880 — 2023-03-14
• Google TAG: Magniber ransomware actors used a variant of Microsoft SmartScreen bypass — 2023-03
• SecurityWeek: Microsoft SmartScreen zero-day exploited to deliver Magniber ransomware — 2023-03