Sign in with
Sign up | Sign in

Microsoft Confirms Zero-Day ''Shortcut'' Exploit

By - Source: Tom's Hardware US | B 30 comments

There's a shortcut exploit affecting all versions of Windows from XP SP2 to Windows 7

Friday Microsoft confirmed a zero-day exploit that is associated with using an infected USB flash drive on systems with Windows XP SP2 up to Windows 7. Apparently researchers have warned Microsoft about the exploit for a little over a month.

According to the company, hackers are exploiting a bug in Windows "shortcut" files. "The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut," the company said.

For consumers who have AutoPlay disabled, they would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

"In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware, a threat family already known to the Microsoft Malware Protection Center," said Dave Forstrom, a director in Microsoft's Trustworth group. "The MMPC has a blog post with more technical discussion of Stuxnet."

Until Microsoft addresses the exploit in a patch, the company suggests that users disable the displaying of icons for shortcuts. This means that consumers will need to edit the HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler key in the registry. Although this shouldn't be a problem for knowledged users, inexperienced consumers could make the problem worse.

"This is highly impractical for most environments," said Chester Wisniewski, a senior security advisory with Sophos. "While it would certainly solve the problem, it would also cause mass confusion among many users and might not be worth the support calls."

The exploit problem gets worse. Sunday a security researcher known as "Ivanlef0u" published proof-of-concept code on the Internet that takes advantage of the exploit. When tweaked, the code could be used in an effective attack.

Belgian researcher Didier Stevens created a tool to combat against the shortcut security flaw, however he warns that inexperienced users shouldn't install it. The tool and notes can be found here.

Discuss
Display all 30 comments.
This thread is closed for comments
Top Comments
  • 22 Hide
    dameon51 , July 19, 2010 6:30 PM
    Another fix for this would be don't let untrustworthy individuals have access to your computer.
Other Comments
  • 22 Hide
    dameon51 , July 19, 2010 6:30 PM
    Another fix for this would be don't let untrustworthy individuals have access to your computer.
  • 0 Hide
    obiown77 , July 19, 2010 6:39 PM
    And they are just announcing/addressing this now, this exploit has been a big pain in the ass at work for months, I've had tons of users using there usb keys, and infecting crap.
  • -5 Hide
    gaevs , July 19, 2010 6:45 PM
    This only applies to Windows XP, 7 has autorun disabled, so no clients had this problem.. just let XP die..
  • 5 Hide
    noodlegts , July 19, 2010 6:51 PM
    Microsoft should be paying potential hackers to find these problems instead of letting the Chinese or Terrorists or people with too much time on their hands find them, and then coming up with fixes.

    I think all in all it will be cheaper and make for a safer environment for everyone.

    Just my two cents.
  • -2 Hide
    Anonymous , July 19, 2010 7:00 PM
    RE: just let XP die
    why should it die? XP still has the best 2D performance - look it up!!!

    http://endlessjukebox.com?afid=216
  • 5 Hide
    pixelpusher220 , July 19, 2010 7:00 PM
    @gaevs:
    from the article
    "For consumers who have AutoPlay disabled, they would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited."
    .
    Seems to me if a user put a USB in their computer, one *very* likely scenario is browsing the USB to see what is on it. It affects XP SP2 to Win7 whether you want to admit it or not. ;-)
  • 1 Hide
    mavroxur , July 19, 2010 7:01 PM
    obiown77And they are just announcing/addressing this now, this exploit has been a big pain in the ass at work for months, I've had tons of users using there usb keys, and infecting crap.


    But normally, the infection comes from what the autorun is launching, not the autorun shortcut itself.



    gaevsThis only applies to Windows XP, 7 has autorun disabled, so no clients had this problem.. just let XP die..



    Um... no it doesnt.
  • 8 Hide
    Anonymous , July 19, 2010 7:01 PM
    wait let me get this right.... for this to work someone has to physically plug the thing into my USB port.... the last time i let a stranger do that was.....
  • 3 Hide
    Gin Fushicho , July 19, 2010 7:07 PM
    What Noodlegts said, and as well, I think Microsoft should stop pouring so much time into XP, they said they were going to let it die, and now they've changed their minds.
  • 0 Hide
    madman1391 , July 19, 2010 7:08 PM
    gaevsThis only applies to Windows XP, 7 has autorun disabled, so no clients had this problem.. just let XP die..


    the issue isnt with Autorun

    Quote:
    For consumers who have AutoPlay disabled, they would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited.


    All you would have to do is navigate to the folder that has the infected file (link) in it.
  • 0 Hide
    hoofhearted , July 19, 2010 7:26 PM
    You say to "edit HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler"?

    How? Delete it?
  • 0 Hide
    dogofwars , July 19, 2010 7:30 PM
    It's not the first time the autorun and just going in the folder caused this sort of problem.
  • 1 Hide
    hellwig , July 19, 2010 7:41 PM
    I still don't understand why Microsoft allows code from so many different places to execute. Why would you ever need to execute data found in an email, jpg file, or shoftcut file? It's just data, stop executing it!
  • 0 Hide
    squiggs77 , July 19, 2010 8:03 PM
    I agree any security holes should be fixed, but why is this a big problem? Who is plugging USB drives into your computer with viruses on it?
  • 0 Hide
    orionantares , July 19, 2010 8:17 PM
    obiown77And they are just announcing/addressing this now, this exploit has been a big pain in the ass at work for months, I've had tons of users using there usb keys, and infecting crap.


    How were they getting those drives infected in the first place?
  • 1 Hide
    pharge , July 19, 2010 8:46 PM
    Guess, it is just impossible to make an OS without any security hole/backdoor... .... even after so many patches...

    I know it is much harder to build one than destroy one... but after so many patches/years/OS generations... we are still finding more holes to fix... hmmm...
  • 0 Hide
    gaevs , July 19, 2010 9:14 PM
    So, it works on the shortcut itself??, OK, now that's is a little bit dangerous..
  • 2 Hide
    gaevs , July 19, 2010 9:15 PM
    But a proper antivirus should protect you, no?
  • 0 Hide
    stm1185 , July 19, 2010 9:38 PM
    So how do you get the malicious code onto your USB drive to begin with?
Display more comments