14 DAY TRIAL // Sophos has released a tool which can protect users against exploits that target a currently unpatched Windows vulnerability in the way shortcut icons are processed. The critical bug discovered earlier this month has already been adopted by a variety of malware families and that's only expected to increase.
The new vulnerability, identified as CVE-2010-2568 and confirmed by Microsoft in Security Advisory 2286198, was discovered being exploited in the wild by a highly sophisticated piece of malware earlier this month. The flaw stems from the way Windows processes control panel shortcut icons and allows an attacker to automatically execute malicious code by tricking users into opening a folder containing specially crafted LNK files.
Initially it was believed that the vulnerability could only be exploited from removable USB devices or network shares. However, Microsoft later revealed that attackers can also launch attacks leveraging it via websites or other document files.
This is a very serious flaw and one that according to experts, will not be easy to fix. Malware writers have wasted no time and have already adapted the exploit in their creations. We just reported that new threats from the Chymine, Vobfus, Sality and ZeuS families of malware are currently leveraging this vulnerability to infect computers.
Considering that it might take two more weeks until an official patch for this bug is provided by Microsoft, as part of its regular monthly patch cycle, security engineers from Sophos have decided to create a small tool to protect users in the meantime. The program, dubbed “Windows Shortcut Protection Tool” is available for Windows XP, Vista and 7, and is capable of detecting LNK files that contain the exploit in real-time.
“The free Sophos tool installs a new icon handler for Windows shortcuts. Whenever Windows tries to display an icon corresponding to a Windows shortcut, the new icon handler will intercept this request and validate the shortcut. If the shortcut does not contain the exploit, control will be given back to Windows,” Graham Cluley, senior technology consultant at Sophos, explains. Upon blocking an exploitation attempt, the program will also report what file the malformed shortcut was attempting to execute.
Sophos' Windows Shortcut Protection Tool can be downloaded from here.
You can follow the editor on Twitter @lconstantin