Microsoft issued a new Security Advisory on Friday, July 16th regarding an old Windows vulnerability associated with shortcut icons.
This vulnerability, which is rated as ‘Highly Critical’ by Secunia, effects every version of Windows back to and including Windows 2000. This flaw even effects Windows 7 Service Pack 1 Beta and Windows Server 2008 R2, which were only released a couple weeks ago.
The flaw has been traced back to a flaw in the way Windows Shell parses shortcut files. This can enable malicious code to be executed, normally from a USB thumb drive or external media storage device, such as a CD or DVD. However it has been found that this flaw can be ran using malicious links in email as well as from malicious websites. Network Sharing and WebDav are also viable venues to exploit this flaw.
Shortcuts are links to actual files and uses the hidden .LNK extension. A specially crafted .LNK file needs to be parsed by Explorer, in Windows, for the exploit to work. The maliciously crafted file uses AutoPlay to execute the malicious code. Even if AutoPlay is disabled at it is in Windows 7 by default, this code is still able to run on a users computer. Users who are operating as an Administrator are most vulnerable to this flaw. If the exploit is successfully ran, it can enable a hacker to take over a users computer.
Although, in a blog post, Microsoft softened the severity of this flaw by stating that only ‘limited’ attacks have been occurring. However you can be sure that malicious hackers will be jumping on this real soon and more widespread attacks will be occurring. Microsoft stated that most attacks are occurring in Iran and Indonesia, and is related to malware known as the Stuxnet worm.
Hopefully, Microsoft will issue an ‘out-of sequence’ patch for this exploit, but as of now, they have only released a work around ‘fix it’ option which, for most will be more annoying than worrying about the exploit. It works by disabling all .LNK files. By using the ‘fix it’ option, all icons on the computer will default to the white rectangular blank icon. Microsoft also offers directions for a manual fix which is aimed more at IT professionals. Recently, however, even these work arounds have been found to not be completely effective at protecting infected systems. These work arounds only work on systems that are running Windows XP SP3, Server 2003, Vista, Server 2008, 7, and Server 2008 R2.
Being that this worm also effects older versions of Windows, such as Windows 2000, Windows XP, and Windows XP SP2, this exploit is even a more dangerous threat as these computer will NEVER receive a patch. Microsoft recently discontinued support for these operating systems. Being that there are a lot of machines operating that are still utilizing these softwares, this exploit can have far reaching and longer term effects.
This exploit has been around since the early days of Windows but has, only recently, been discovered. This is regarded as a ‘Zero Day’ flaw, which means that it was only discovered after it was actively being exploited in the ‘wild’.
Hopefully Microsoft is working around the clock to permanently fix this flaw and will issue and ‘Out of Sequence’ patch soon. At the very worst, let’s hope that it will be fixed with their next scheduled update which is set for Tuesday, August 10th.
For more information on this exploit, visit Microsoft’s Security Advisory 2286198 and Support Articles.