14 DAY TRIAL // An automatic fix designed to help users protect their Windows PCs against potential attacks targeting a Critical 0-day vulnerability in Windows Shell is now available from Microsoft. The LNK vulnerability is already being exploited in the wild, with the software giant having offered confirmation of limited and targeted attacks. Furthermore, even Proof of Concept (PoC) code has been published, making it extremely easy for attackers to create additional exploits. All Windows users are potentially exposed to attacks targeting the Windows Shell flaw, which involves Windows incorrectly parsing shortcuts, including early adopters running Windows 7 SP1 Beta and Windows Server 2008 R2 SP1. Attacks can come through malicious USB drives, but also remotely via network shares and WebDAV.
Microsoft first confirmed the discovery of the zero-day security flaw affecting all supported releases of Windows last week, and it has been hard at work to produce a patch ever since. While at this point in time an actual security update is not available for Windows users, the company has detailed a number of workarounds which need to be manually implemented by customers, and also provided an automated “Fix It,” simplifying the implementation process of the initial workaround presented to users, namely disabling .LNK and .PIF file functionality in Windows.
Customers can turn to KB article 2286198 in order to access the automated “Fix It.” Whether they’re running Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server R2, users only need to click on the “Fix It” button to disable .LNK and .PIF file functionality automatically. This is of course, only a temporary solution, until a permanent patch will be provided by Microsoft.
If disable .LNK and .PIF file functionality is switched off, Windows platforms will no longer have icons associated with their shortcuts, with all graphics representations being replaced by a generic file icon. It will bring the user experience down a notch, but users will be protected against attacks, since Windows will no longer parse icons. At the same time, once a patch is available, customers can turn to the KB article 2286198 again, and hit the second “Fix It” button, to re-enable .LNK and .PIF file functionality.
“Running the "Fix It" can help prevent attacks attempting to exploit this vulnerability. This workaround will disable some icons from being displayed so we recommend administrators test this before deploying it widely,” revealed Christopher Budd, security response communications lead, Microsoft.
“We've also updated the advisory with new information regarding possible attack vectors. Finally, we have included a new workaround that customers can implement to help protect their environments: blocking the download of LNK and PIF files (note that these files can be transferred over WebDav, so be sure to account for this protocol if you implement this workaround),” he added. “As always, we encourage customers to review this new information and to evaluate it for their environment while our teams continue their work to develop a security update that addresses this vulnerability.”
Windows 7 Service Pack 1 (SP1) Beta and Windows Server 2008 R2 Service Pack 1 (SP1) Beta are available for download here.
Follow me on Twitter @MariusOiaga.