Microsoft rushes out patch for Windows shortcut vulnerability

Responding to an avalanche of criticism about the latest zero-day exploit, Microsoft has posted a quick-and-dirty patch that may dismay some users

Two days ago I wrote about a new zero-day attack vector in all modern versions of Windows. You may know it as the "LNK zero day" or the "USB zero day." Microsoft's Security Bulletin 2286198 advises that the "Vulnerability in Windows Shell Could Allow Remote Code Execution."

As I discussed in that article, the infection method bypasses almost all Windows security controls, effectively delivering drive-by infections in certain circumstances: Your users can get infected by simply opening the folder that contains the infected files.

[ Also on InfoWorld: The ISC warns "prepare for extensive attacks of Windows zero-day." | Now more than ever, you need InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Earlier warnings covered Windows shortcut files -- LNK files -- that could be jiggered to run infectious programs. Now comes word that certain PIF files (primarily associated with old DOS programs) can also be subverted. The first infectious samples came on USB drives, but it hasn't taken long to ascertain that the same techniques can be used on network shares, on WebDav files, in convoluted cases via Internet Explorer, and on documents (including Word and Excel documents and PowerPoint presentations) that can have shortcuts embedded in them.

At this point, there are widely available copies of working infection files. There's even a working exploit in a Metasploit module. The highly regarded SANS Internet Storm Center raised its overall Threat rating from Green to Yellow. Later, the Threat rating was lowered back to Green, although that move has generated considerable controversy.

To date, the only widespread report of an infection in the wild specifically targets Siemens SCADA equipment. According to a report today, one Siemens customer in Germany was infected. You can bet there will be many more exploits to follow. Admins are particularly paranoid about a worm escaping on a high-volume network share.

Microsoft has posted a "Fixit" one-click tool that disables shortcut icon rendering as part of Knowledge Base article KB 2286198. The Fixit simply deletes the (Default) value of Registry keys HKCR\lnkfile\shellex\IconHandler and HKCR\piffile\shellex\IconHandler. The KB article notes that disabling those keys will turn many built-in Windows icons into white boxes. Undoubtedly there will be side effects somewhere, but so far I haven't heard of anything significant.

If your users get upset over little Windows inanities, they may go bonkers when many of their beautiful Windows icons turn into white flags. Unfortunately, it now appears as if this little zero day is poised to spread quickly -- and traditional antivirus products may not be able to catch it in time. It would be wise to weigh the possible consequences of inaction.

This article, "Microsoft rushes out patch for Windows shortcut vulnerability," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies