Watch out for this nasty zero-day exploit
Windows' dumb way of handling certain shortcut icons opens door to new rootkit exploit that can nail fully patched systems
Follow @infoworld
An antivirus company based in Belarus called VirusBlokAda claims that its researchers have discovered two malicious files, called ~wtr4132.tmp and ~wtr4141.tmp, and added them to the company's antivirus signature file. In spite of the ".tmp" filename extension, both files contain programs. Those programs install a rootkit on Windows machines, including fully patched Windows 7 machines, and they propagate using a previously unknown mechanism.
The precise infection method is still being investigated and dissected by black hats and white hats all over the world, but the samples that have surfaced in print show four shortcut files: plain old everyday LNK files, much like the ones you find scattered all over your desktop. Somehow working in collusion, one or more of the four LNK files and two TMP files can pwn any modern Windows machine.
[ Get your systems up to snuff with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Microsoft Security Advisory 2286198, titled "Vulnerability in Windows Shell Could Allow Remote Code Execution," acknowledges the security hole and states that Windows XP SP3, Server 2003 SP2, Vista, Windows 7, and Server 2008 and R2, in all flavors, are vulnerable. Others have found that this zero-day hole also affects Windows XP SP2 and Windows 2000. Of course, both of those versions lapsed into unsupported status last week, but when Microsoft issues a fix for this problem, I figure there's a 99.99 percent chance that it'll be available for XP SP2 and Win2000 as well -- so much for end-of-life dates.
Apparently, the security hole occurs as a by-product of the way Windows itself offers up an icon for a shortcut. There aren't many details available about the process, but it appears to go like this:
