• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Out-of-Cycle Update Fixes Shortcut Icon Vulnerability

August 3, 2010 By The Editor

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: Various ways, including enticing you into downloading a specially crafted shortcut and browsing the directory containing it
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install Microsoft’s out-of-band Windows update immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released an out-of-cycle security bulletin to fix a significant Windows vulnerability that has gotten a lot of media attention, and which attackers have exploited in the wild via a worm and other malware. Microsoft rates this update as Critical.

The vulnerability has to do with how the Windows Shell handles shortcut icons (.lnk files). Essentially, if an attacker can somehow get a specially crafted shortcut file (.lnk) onto one of your user’s computers, and then entice that user to browse to the directory containing the malicious shortcut from within Windows Explorer, the attacker can exploit this flaw to execute malicious code on that user’s computer with that user’s privileges. As with most Windows vulnerabilities, if your users have local administrator privileges, attackers could leverage this flaw to gain complete control of their computers.

On the surface, this vulnerability doesn’t seem overly critical. At first, it seems like a local vulnerability, not a remote one. For instance, it requires an attacker get a malicious shortcut file onto a user’s local computer, and then to interact with the folder containing the file. In order to get such a malicious .lnk file onto one of your user’s computers, an attacker would either have to entice your user to download a shortcut, leverage some other flaw (assuming one exists) that gives him remote access to your user’s file system, or leverage existing Windows file shares to copy the malicious file (assuming the attacker has access to your local network and file shares). All of these factors should mitigate the risk of this particular flaw, and lessen its severity. However, Microsoft has also learned that in some cases attackers can exploit this flaw in drive-by download attacks. If an attacker creates a malicious web page with a specially embedded shortcut, simply visiting the page in Internet Explorer can trigger this flaw. Attackers could even embed a malicious .lnk in a Office document. Finally, real-world malware has proven that this particular flaw has fangs.

According to researchers, a worm spreading in the wild called Stuxnet leverages this shortcut vulnerability, to help it spread within local networks, once it’s infected some victim. If Stuxnet somehow infects one of your user’s computers (for instance, a roving laptop that a user walks into your local network), that computer will do two things; it will search for Windows network shares, and try to copy its malicious .lnk file to those shares, and it also adds its malicious.lnk file to any USB storage device plugged into the infected machine. This will cause anyone who browses the affected share directory or USB drive to become infected with Stuxnet. With the USB vector, if your users have Windows Autorun or Autoplay enabled, they can become infected simply by plugging in an infected USB storage device. Keep in mind, Stuxnet does not leverage the shortcut vulnerability to infect its first victim. It needs to exploit some other flaw or social engineering trick to infect its first victim. However, once it gets onto one computer in your network, the shortcut flaw helps it spread quickly throughout your local network, as the German engineering company Siemens AG regrettably found out recently.

According to Microsoft, other malware authors have already caught on to this .lnk file trick and have incorporated similar spreading techniques into other worms, like Sality. Despite the fact that, on the surface, this vulnerability shouldn’t pose a huge threat, attackers have found novel ways to leverage it that have proven very affective in the real-world. Big organization have already fell victim to malware leveraging this flaw, and the vulnerability poses a very serious risk. For that reason, we highly recommend you download, test, and deploy Microsoft’s update immediately.

Solution Path:

Microsoft has released an out-of-cycle patch for Windows that corrects this vulnerability. You should download, test, and deploy it immediately, or let Windows Automatic Update do it for you.

MS10-046:

  • Windows XP
  • Windows XP x64
  • Windows Server 2003
  • Windows Server 2003 x64
  • Windows Server 2003 Itanium
  • Windows Vista
  • Windows Vista x64
  • Windows Server 2008
  • Windows Server 2008 x64
  • Windows Server 2008 Itanium
  • Windows 7
  • Windows 7 x64
  • Windows Server 2008 R2 x64
  • Windows Server 2008 R2 Itanium

For All WatchGuard Users:

You can somewhat mitigate the risk of this flaw by blocking .lnk files with your WatchGuard appliance. You can use the HTTP, SMTP, and FTP proxy on some WatchGuard appliances to block files by their extension. However, there are many ways that an attacker might sneak a malicious .lnk file into your network. Therefore, the patches above are still your best recourse.

Nonetheless, if you want to block Windows shortcuts, the links below contain video instructions showing how to block them by extension (.lnk). Keep in mind, this technique also blocks legitimate shortcuts as well. That said, there really is no legitimate reason for your users to download shortcuts from the Internet.

  • Firebox X Edge running 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy
  • Firebox X Core and X Peak running Fireware 10.x or Fireware XTM
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy?

Status:

Microsoft has released an update to correct this serious vulnerability.

References:

  • Microsoft Security Bulletin MS10-046

Share This:

Related

Filed Under: Security Bytes Tagged With: Microsoft

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use