Microsoft Confirms Windows Zero Day Bug In Shortcut Files

The New Acunetix V12 Engine


This is a pretty nasty attack and for once Microsoft have actually acknowledged and confirmed this is a critical unpatched vulnerability. Incidentally Microsoft also recently retired Windows XP SP2 from the support cycle, and this vulnerability effects that system and they have stated they will not be patching it.

It’s a pretty serious bug and it seems hackers have been maliciously exploiting it in the wild for over a month. The Stuxnet malware has been using this vulnerability to gain access to machines then download further attack files including a root kit.

Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives.

The bug admission is the first that affects Windows XP Service Pack 2 (SP2) since Microsoft retired the edition from support , researchers said. When Microsoft does fix the flaw, it will not be providing a patch for machines still running XP SP2. In a security advisory , Microsoft confirmed what other researchers had been saying for almost a month: Hackers have been exploiting a bug in Windows “shortcut” files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.

“In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware,” Dave Forstrom, a director in Microsoft’s Trustworthy Computing group, said in a post Friday to a company blog . Stuxnet is a clan of malware that includes a Trojan horse that downloads further attack code, including a rootkit that hides evidence of the attack.

Forstrom characterized the threat as “limited, targeted attacks,” but the Microsoft group responsible for crafting antivirus signatures said it had tracked 6,000 attempts to infect Windows PCs as of July 15.

Limited but targeted attacks are the worst kind as they can really burrow through corporate defenses. A lot of companies are taking this seriously, including all the main players in the anti-virus arena.

You have to wonder if Microsoft will break their patch tuesday policy and issue an emergency out-of-band patch for this.

Especially since more virus writers are picking up on this flaw meaning it’s becoming more widespread.


On Friday, Siemens alerted customers of its Simatic WinCC management software that attacks using the Windows vulnerability were targeting computers used to manage large-scale industrial control systems used by major manufacturing and utility companies. The vulnerability was first mentioned on June 17 in an alert issued by VirusBlokAda , a little-known security firm based in Belarus. Other security organizations, including U.K.-based Sophos and SANS Institute’s Internet Storm Center , picked up on the threat Friday. Security blogger Brian Krebs , formerly with the Washington Post, reported on it Thursday.

According to Microsoft, Windows fails to correctly parse shortcut files, identified by the “.lnk” extension. The flaw has been exploited most frequently using USB flash drives. By crafting a malicious .lnk file, hackers can hijack a Windows PC with little user interaction: All that’s necessary is that the user views the contents of the USB drive with a file manager like Windows Explorer.

Chester Wisniewski, a senior security advisory with Sophos, called the threat “nasty,” and said his tests showed that the exploit works even when AutoRun and AutoPlay — two functions that have previously been used by attackers to commandeer PCs using infected flash drives — are disabled. The rootkit also bypasses all security mechanisms in Windows, including the User Account Control (UAC) prompts in Vista and Windows 7 , said Wisniewski in a blog entry Friday.

I’m sure they’ll come up with some reason for not patching this sooner rather than later. The scary part is the attack can still be carried out even if AutoRun and AutoPlay are disabled.

The rootkit also bypasses the security mechanisms in Windows 7 and Vista making this a very dangerous attack.

You can find a temporary workaround in the Microsoft Security Advisory here:

Microsoft Security Advisory: Vulnerability in Windows Shell could allow remote code execution

And Microsoft has stated they are working on a patch.

Source: Network World

Posted in: Exploits/Vulnerabilities, Windows Hacking

, , , , , , , ,


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


Comments are closed.