14 DAY TRIAL // A reverse engineer has published Proof-of-Concept attack code exploiting the critical LNK processing vulnerability confirmed by Microsoft last week. Meanwhile, another researcher has released a tool, which allows users to protect themselves until a permanent patch becomes available.
A reverse engineer, going by the online handle of "Ivanlef0u" has published PoC exploit code for a recently disclosed and yet unpatched Windows vulnerability. The flaw was reported as a zero-day after security researchers from antivirus vendor VirusBlokAda found a piece of malware exploiting it in the wild.
The vulnerability stems from the way Windows processes shortcut icons and allows an attacker to execute arbitrary code by simply tricking users into opening a folder containing a specially crafted .LNK file. Microsoft confirmed the bug late last week and recommended that people disable shortcut icons via the registry until a permanent patch is developed and distributed.
It's still not clear when that will happen, but given that Microsoft just had its monthly update cycle last week, the prospect of an out-of-band fix is very likely. Otherwise, a whole month with such a vulnerability in the wild is a very long time to wait, especially now that attack code is publicly available and any junior malware writer can integrate it into their creation.
Antivirus experts have already speculated that more threats exploiting the flaw will be released soon, even before Microsoft has the chance to land a fix. In the meantime, Belgian security IT consultant and security researcher Didier Stevens has cooked up a program, which is able to block attacks leveriging it.
Dubbed Ariad, an acronym for AutoRun.Inf Access Denied, the tool was originally designed to do what its name implies – block the automatic execution of autorun.inf files on USB sticks. However, the program has since evolved to block different types of files on several types of media.
The application functions as a minifilter driver operating inside the Windows kernel and has several blocking options, which can be independently activated for USB drives, CDROMs, hard disk drives and network shares. The options are “no autorun.inf”, “no executables”, which denies all access to file types specified in a blacklist, “block all”, “read-only” and “no file execute”.
The “no executables” and “no file execute” options in particular can be used to protect against malware exploiting the LNK vulnerability. The “no executables” blacklist currently covers BAT, CMD, COM, CPL, DLL, EXE, OCX, PIF, SCR, SYS, VB, VBE, VBS, WSF, WSH and of course LNK.
Users who want to still be able to copy their legit executable files stored on USB sticks or network shares and execute them locally can use only “no file execute” setting. Instead of blocking access to executable files completely, this option prevents them from being loaded into memory.
“The effect is that executable files can be read and copied, but not launched from the mounted drive. The advantage of this setting is that it blocks binary executables independently of the file extension they have,” Didier Stevens explains.
Another aspect worth mentioning about Ariad is that it also works on Windows XP SP2 and Windows 2000 with SP4 and Update Rollup 1. This is important, because these operating system versions are no longer supported by Microsoft since last week and as such, will never receive a patch for the LNK vulnerability.
Ariad 0.0.0.8 can be downloaded from here.
You can follow the editor on Twitter @lconstantin