Microsoft rushes out patch for Windows shortcut vulnerability
Responding to an avalanche of criticism about the latest zero-day exploit, Microsoft has posted a quick-and-dirty patch that may dismay some users
Follow @infoworld
Two days ago I wrote about a new zero-day attack vector in all modern versions of Windows. You may know it as the "LNK zero day" or the "USB zero day." Microsoft's Security Bulletin 2286198 advises that the "Vulnerability in Windows Shell Could Allow Remote Code Execution."
As I discussed in that article, the infection method bypasses almost all Windows security controls, effectively delivering drive-by infections in certain circumstances: Your users can get infected by simply opening the folder that contains the infected files.
[ Also on InfoWorld: The ISC warns "prepare for extensive attacks of Windows zero-day." | Now more than ever, you need InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Earlier warnings covered Windows shortcut files -- LNK files -- that could be jiggered to run infectious programs. Now comes word that certain PIF files (primarily associated with old DOS programs) can also be subverted. The first infectious samples came on USB drives, but it hasn't taken long to ascertain that the same techniques can be used on network shares, on WebDav files, in convoluted cases via Internet Explorer, and on documents (including Word and Excel documents and PowerPoint presentations) that can have shortcuts embedded in them.
At this point, there are widely available copies of working infection files. There's even a working exploit in a Metasploit module. The highly regarded SANS Internet Storm Center raised its overall Threat rating from Green to Yellow. Later, the Threat rating was lowered back to Green, although that move has generated considerable controversy.
