Microsoft Issues Advisory on Critical .LNK Flaw

Recent reports of a sophisticated attack on a flaw involving shortcuts in Windows has prompted Microsoft to put out a security advisory, reports PCMag. All current versions of Windows suffer from the flaw- that includes XP up to the just-released service pack for 7 and Server 2008 R2.

The flaw comes from the way Windows handles shortcut .LNK files when they are executed through the shell, which typically means Windows Explorer. The attack is commonly spread with removable devices like flash drives and CDs with a malicious shortcut file and an associated binary. The malicious code can be run when the victim browses to the root folder of the drive, causing the shell to load and parse the icon.

Having AutoPlay disabled helps because then the attack would only work if the victim manually browses to the root folder of the device. Windows 7 has AutoPlay for removable disks disabled by default. In addition, flash drives aren’t the only devices that could harbor this malware; it can also be spread on network shares or remote WebDAV shares.

Microsoft lists two workarounds; disabling shortcut icons, which would make Windows look strange, and disabling WebDAV which would only affect that one possible route of attack. As for patch development, PCMag explains what we might expect:

This is quite a serious vulnerability and Microsoft has begun their process of investigation and patch development. This is an excellent candidate for an out-of-band update, especially as we are a month away from the next scheduled Patch Tuesday and targeted attacks are already being conducted.

While it is dangerous, this attack isn’t too dire because it is easily caught by most anti-malware software.

16,500+

free

Signup Now!

Your Blogmaster is Rebecca

Other Blog posts by Rebecca

Paul Reece says:

July 19th, 2010 at 8:04 am

We use a Group Policy setting in Active directory to prevent Autoplay running on ANY machines here at the University. But an even better way, (IMHO), is to run Panda USB Vaccine on all your PC’s!….I do!
http://www.pandasecurity.com/homeusers/downloads/usbvaccine/
It will vaccinate your PC so new flash drives won’t start up, and it will vaccinate your flash drives so they won’t autoplay when you put them into a possibly infected PC!…Good value, ‘cos it’s a freebie!

transisto says:

July 19th, 2010 at 4:00 pm

Tip : To protect your usb drives, create a FOLDER named Autorun.inf, This will block the creation of an Autorun.inf file by a virus.

Internet Age says:

July 22nd, 2010 at 5:26 am

Autorun can be a right royal pain, especially if there is sensitive information on a drive you didn’t really wished a third party to see! I’ve had some moments, LOL! Autorun is disabled on my machines, but thanks for the heads-up nevertheless. Poor Microsoft must wonder where it is all going to end one day….

Rebecca says:

July 22nd, 2010 at 7:50 pm

Microsoft put out a Fix-It that implements the workaround to disable icons. Its here if you want to use it http://support.microsoft.com/kb/2286198#FixItForMe

myHelpfulNerd says:

August 3rd, 2010 at 5:22 pm

Disabling autorun isn’t really going to solve the problem. Basically, just viewing the root of any drive could potentially run a program. Kinda scary. I hope MS gets it patched quickly.