New Windows Flaw Being Exploited

July 16, 2010

Brian Krebs, in his Krebs on Security blog, first warned yesterday about a newly-reported vulnerability in Microsoft Windows, which is apparently being exploited by a new strain of malware, distributed mainly (although not exclusively) by means of USB flash drives and other plug-in devices.  The vulnerability exists in the way that Windows processes “Shortcut” files; these are files that have a .LNK extension (which is usually hidden by default), and typically are links to a program or a folder (directory).  (They are somewhat analogous to symbolic links in UNIX/Linux systems.)    When a folder containing shortcuts is opened with Windows Explorer, the Windows Shell attempts to access the icon associated with each shortcut.  Apparently, it is possible to hijack this process to cause the execution of malicious code; the exploit does not seem to require the user to double-click the shortcut.

Microsoft has now issued a Security Advisory (2286198) about this issue, which apparently affects all supported versions of Windows.  The Advisory has a suggested work-around that disables the display of shortcut icons, by means of a manual edit to the Windows Registry.  As always, Registry modifications must be done with extreme care; blunders can leave you with an unusable system.

Exploiting the vulnerability essentially requires the attacker to add a directory, or directory sub-tree, to the existing filesystem on the PC.  The most obvious way to do this is by using an additional drive — hence the use of USB devices — but it is in principle also possible for an attacker to set up a network share that contains a malicious shortcut.  Once again, it is important to understand that the user does not have to run the program (ostensibly) pointed to by the shortcut; it is only necessary that the shortcut itself be parsed (as it is when Windows Explorer open the containing folder) for an attack to be launched.

The samples of malicious software that have been analyzed so far appear to install a rootkit that is primarily directed at collecting credentials, and apparently is targeted at industrial control and SCADA systems.  However, this has the possibility of becoming a popular attack vector, because it requires little in the way of user action to be activated.

I will post additional information here as it becomes available.

Update Friday, 16 July, 23:15 EDT

The Internet Storm Center at the SANS Institute now has a diary entry giving some more information on this exploit.

Update Sunday, 18 July, 17:55 EDT

According to the updated diary entry from the Internet Storm Center, a Proof-of-Concept exploit of this vulnerability has been published on the Internet.

Update Monday, 19 July, 16:35 EDT

Ars Technica now has an article posted that discusses this vulnerability.  They remind us that, although Windows 2000 and Windows XP without SP3 are vulnerable, they will not be fixed, since they are no longer supported.

%d bloggers like this: