Summary:
- These vulnerabilities affect: All current versions of Windows
- How an attacker exploits them: Various ways, including enticing you into downloading a specially crafted shortcut and browsing the directory containing it
- Impact: In the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install Microsoft’s out-of-band Windows update immediately, or let Windows Automatic Update do it for you.
Exposure:
Today, Microsoft released an out-of-cycle security bulletin to fix a significant Windows vulnerability that has gotten a lot of media attention, and which attackers have exploited in the wild via a worm and other malware. Microsoft rates this update as Critical.
The vulnerability has to do with how the Windows Shell handles shortcut icons (.lnk files). Essentially, if an attacker can somehow get a specially crafted shortcut file (.lnk) onto one of your user’s computers, and then entice that user to browse to the directory containing the malicious shortcut from within Windows Explorer, the attacker can exploit this flaw to execute malicious code on that user’s computer with that user’s privileges. As with most Windows vulnerabilities, if your users have local administrator privileges, attackers could leverage this flaw to gain complete control of their computers.
On the surface, this vulnerability doesn’t seem overly critical. At first, it seems like a local vulnerability, not a remote one. For instance, it requires an attacker get a malicious shortcut file onto a user’s local computer, and then to interact with the folder containing the file. In order to get such a malicious .lnk file onto one of your user’s computers, an attacker would either have to entice your user to download a shortcut, leverage some other flaw (assuming one exists) that gives him remote access to your user’s file system, or leverage existing Windows file shares to copy the malicious file (assuming the attacker has access to your local network and file shares). All of these factors should mitigate the risk of this particular flaw, and lessen its severity. However, Microsoft has also learned that in some cases attackers can exploit this flaw in drive-by download attacks. If an attacker creates a malicious web page with a specially embedded shortcut, simply visiting the page in Internet Explorer can trigger this flaw. Attackers could even embed a malicious .lnk in a Office document. Finally, real-world malware has proven that this particular flaw has fangs.
According to researchers, a worm spreading in the wild called Stuxnet leverages this shortcut vulnerability, to help it spread within local networks, once it’s infected some victim. If Stuxnet somehow infects one of your user’s computers (for instance, a roving laptop that a user walks into your local network), that computer will do two things; it will search for Windows network shares, and try to copy its malicious .lnk file to those shares, and it also adds its malicious.lnk file to any USB storage device plugged into the infected machine. This will cause anyone who browses the affected share directory or USB drive to become infected with Stuxnet. With the USB vector, if your users have Windows Autorun or Autoplay enabled, they can become infected simply by plugging in an infected USB storage device. Keep in mind, Stuxnet does not leverage the shortcut vulnerability to infect its first victim. It needs to exploit some other flaw or social engineering trick to infect its first victim. However, once it gets onto one computer in your network, the shortcut flaw helps it spread quickly throughout your local network, as the German engineering company Siemens AG regrettably found out recently.
According to Microsoft, other malware authors have already caught on to this .lnk file trick and have incorporated similar spreading techniques into other worms, like Sality. Despite the fact that, on the surface, this vulnerability shouldn’t pose a huge threat, attackers have found novel ways to leverage it that have proven very affective in the real-world. Big organization have already fell victim to malware leveraging this flaw, and the vulnerability poses a very serious risk. For that reason, we highly recommend you download, test, and deploy Microsoft’s update immediately.
Solution Path:
Microsoft has released an out-of-cycle patch for Windows that corrects this vulnerability. You should download, test, and deploy it immediately, or let Windows Automatic Update do it for you.
- Windows XP
- Windows XP x64
- Windows Server 2003
- Windows Server 2003 x64
- Windows Server 2003 Itanium
- Windows Vista
- Windows Vista x64
- Windows Server 2008
- Windows Server 2008 x64
- Windows Server 2008 Itanium
- Windows 7
- Windows 7 x64
- Windows Server 2008 R2 x64
- Windows Server 2008 R2 Itanium
For All WatchGuard Users:
You can somewhat mitigate the risk of this flaw by blocking .lnk files with your WatchGuard appliance. You can use the HTTP, SMTP, and FTP proxy on some WatchGuard appliances to block files by their extension. However, there are many ways that an attacker might sneak a malicious .lnk file into your network. Therefore, the patches above are still your best recourse.
Nonetheless, if you want to block Windows shortcuts, the links below contain video instructions showing how to block them by extension (.lnk). Keep in mind, this technique also blocks legitimate shortcuts as well. That said, there really is no legitimate reason for your users to download shortcuts from the Internet.
- Firebox X Edge running 10.x
- Firebox X Core and X Peak running Fireware 10.x or Fireware XTM
Status:
Microsoft has released an update to correct this serious vulnerability.
References:
- Microsoft Security Bulletin MS10-046