Microsoft Confirms Zero-Day Critical Vulnerability

Affects all supported Windows versions

By Lucian Constantin on July 17th, 2010 07:47 GMT
Microsoft has released an advisory confirming a previously unknown vulnerability in the way Windows processes shortcut files. The critical bug is trivial to exploit, affects all versions of Windows and allows for arbitrary code execution.

The vulnerability (CVE-2010-2568) came to Microsoft's attention after Belarusian antivirus vendor VirusBlokAda discovered a new piece of USB malware that was actively exploiting it in the wild. The bug allows an attacker to create a special shortcut file (.lnk), that will execute an executable, when the folder containing it is opened in Windows Explorer, or another file manager able to process shortcut icons.

The Microsoft advisory is a bit confusing, the “Executive Summary” section stating that “malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut.” However, in reality the exploit does not require any icon or shortcut clicking and this is confirmed later in the FAQ section, which explains that “When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the victim system.”

According to Microsoft, all versions of Windows from Windows XP with Service Pack 3 forward, including both 32- and 64-bit flavors are affected. But, Chester Wisniewski, senior security advisor at Sophos Canda, points out that Windows 2000 and Windows XP SP2, which are no longer officially supported by Microsoft since earlier this week, are also vulnerable.

Even though the malware exploiting this vulnerability was spreading through USB devices, the bug itself can also be exploited from optical media, network shares and WebDAV. The temporary mitigation techniques suggested by Microsoft, involve disabling shortcut icons via a registry hack, which will result in a really weird experience for users, and stopping the WebClient service, which will severely impact SharePoint customers.

Mr. Wisniewski suggests a different and less intrusive approach – enforcing a Group Policy Object (GPO) to prevent running executable files from other drives except C:\. Of course this is not a perfect solution either, especially in non-corporate environments. For example, a lot of people prefer using portable applications so they can have their particular settings on all computers they use.

You can follow the editor on Twitter @lconstantin
LNK processing vulnerability affects all Windows versions
   LNK processing vulnerability affects all Windows versions