Critical Windows vuln. in .LNK files = Stuxnet (and IE IV)

By Richi Jennings. July 19, 2010.

Eeek! All versions of Microsoft Windows have a nasty shortcut-file vulnerability, it has emerged. Simply displaying the icon of a crafty .LNK file will cause malware infection. The Stuxnet worm has already been quietly exploiting the flaw for some time. In IT Blogwatch, bloggers ponder panicing.

Your humble blogwatcher selected these bloggy morsels for your enjoyment. Not to mention ImprovEverywhere: A New Hope...
(MSFT)
 
 
John Leyden jars us awake with bad news: [sorry]

Security shortcomings in the Windows shortcut ... files are being exploited ... in the wild ... if an infected USB stick is accessed in Windows Explorer. ... All versions of Windows ... are vulnerable. Disabling Windows AutoPlay and AutoRun ... has no effect.
...
The same vulnerability might also lend itself to exploitation via Windows file shares and WebDav. ... Disabling the displaying of icons for shortcuts and turning off WebClient service are ... workarounds against possible attacks, ahead of ... a security fix.

Tom Warren shows us how far the rabbit hole goes:

Microsoft issued a security bulletin ... to warn customers of a 0-day exploit ... caused due to an error ... when parsing shortcuts (.lnk). ... Certain parameters of the .lnk are not properly validated. ... The flaw bypasses ... security mechanisms, including UAC, and doesn't require administrative privilege.
...
Disabling icons for shortcuts ... is far from ideal for most corporate customers ... [it] will likely result in mass confusion for users ... turning off the WebClient service will render Microsoft SharePoint useless.

Microsoft's Tareq Saade talks Stuxnet:

The most reports are coming from ... Iran and Indonesia with attack attempts far higher than the global average. ... Some of these detections have been picked up in ... game cheats. ... It utilizes a new method of propagation. ... Displaying [the] shortcut icon ... runs the malware without any additional user interaction.
...
We suspect that Stuxnet has been active for at least a month, possibly longer.

 
Microsoft's Dave Forstrom adds:

We have released Security Advisory 2286198, which addresses a publicly reported vulnerability in Windows Shell. ... We recommend that customers follow the guidance provided ... making note of mitigations and tested workarounds. ... Upon completion of [our] investigation, we will take appropriate action to protect our customers.
...
Anyone believed to have been affected by this issue ... should contact the national law enforcement agency in their country.

Chester Wisniewski has been busy:

It's been a busy 24 hours looking into this. ... Lots of research has gone into it and most of the results are not good news. ... Think about this attack as two separate pieces, one that is a new zero-day vulnerability ... the other a unique payload that appears to be designed to go after some very specific infrastructure targets.
...
A colleague suggested the best mitigation I have heard so far: deploying a GPO [policy] ... to allow execution [only] for specific ... paths.
...
[The payload] is not a big concern unless you run a nuclear power plant. ... Expect the exploit, on the other hand, to be widely used. ... It will be too juicy a target to ignore.

Joel Esler has tested the exploit:

I ... can confirm that it works in Windows XP, Vista and Windows 7. ... A specially crafted LNK file ... allows the attacker to execute an arbitrary file by carefully specifying its location. ... I will not be posting details about how the exploit works.
...
What makes this vulnerability extremely serious is the fact that it can be opened from any place. ... The victim just has to browse ... in order to trigger the vulnerability. ... Some AV vendors started adding detection for these LNK files, although it is still very, very bad.

 
And Finally...
The best ImprovEverywhere video for ages
 
 
Don't miss out on IT Blogwatch:

• Subscribe to the Computerworld Blogs and IT Blogwatch newsletters
• Catch up with posts from the previous few days

 

Â

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: itbw@richij.com.

You can also read Richi's full profile and disclosure of his industry affiliations.