Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 17th, 2010

Windows .lnk Shortcut Zero-Day Critical Vulnerability Confirmed By Microsoft

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows’ handling of shortcut files.

Malware targeting the security weakness in the handling of ‘lnk shortcut files has been spotted in the wild by Belarus-based security firm VirusBlokAda. The malware uses rootkit-style functionality to mask its presence on infected systems. These rootlet drivers come digitally signed by legitimate software developer Realtek Semiconductor, a further mark of the sophistication of the attack.

In an advisory, VirusBlokAda says it has seen numerous incidents of the Trojan spy payloads dropped by the malware since adding detection for the malign code last month.

Even fully patched Windows 7 systems are vulnerable to attack in cases where a user views files on an infected USB drive using Windows Explorer, security blogger Brian Krebs reports. Instead of using Windows Autoplay the spread the malware takes advantage in security weaknesses involving shortcut files. Malicious shortcuts on the USB are reportedly capable of auto-executing if users open an infected storage device on Windows Explorer. Normally users would have to click on the link for anything to happen.

Independent researcher Frank Boldewin has uncovered evidence that the malware is targeting SCADA control systems, used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems.

“Looks like this malware was made for espionage,” Boldewin writes.

Firms faced with a spate of Windows autorun worms have responded by disabling outrun, but this advice may no longer be enough with the appearance of a new attack vector, Finnish security firm F-Secure warns. “Our initial analysis of the samples appears to indicate that the shortcuts somehow take advantage of the way in which Windows handles Control Panel shortcut files,” it adds.

Microsoft has released an advisory confirming a previously unknown vulnerability in the way Windows processes shortcut files (CVE-2010-2568). The critical bug is trivial to exploit, affects all versions of Windows and allows for arbitrary code execution.

According to Microsoft, all versions of Windows from Windows XP with Service Pack 3 forward, including both 32- and 64-bit flavors are affected. But, Chester Wisniewski, senior security advisor at Sophos Canada, points out that Windows 2000 and Windows XP SP2, which are no longer officially supported by Microsoft since earlier this week, are also vulnerable.

Even though the malware exploiting this vulnerability was spreading through USB devices, the bug itself can also be exploited from optical media, network shares and WebDAV. The temporary mitigation techniques suggested by Microsoft, involve disabling shortcut icons via a registry hack, which will result in a really weird experience for users, and stopping the WebClient service, which will severely impact SharePoint customers.

Credit: The Register

Share this item with others:

More on CyberInsecure:
  • Microsoft Rushes Out Emergency Fix For Critical LNK Bug
  • Microsoft Releases Emergency Patch For Critical Windows Vulnerability
  • Critical 0-day Vulnerability In Internet Explorer 6 And 7, Exploit Already Published
  • Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild
  • Critical Flash Player, Acrobat, Reader Vulnerability Exploited In The Wild

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Windows .lnk Shortcut Zero-Day Critical Vulnerability Confirmed By Microsoft

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.