Unpatched Windows shortcut flaw leaves users open to drive-by attacks
Thursday, July 22, 2010 8:15Microsoft on Tuesday said that hackers could exploit the unpatched Windows shortcut vulnerability using drive-by download attacks that would trigger an infection when people simply surf to a malicious website.
A noted vulnerability researcher Wednesday confirmed that such attacks are possible.
[ Microsoft has issued a tool to help repel Windows shortcut attacks. | Also on InfoWorld: "Prepare for extensive attacks of Windows zero-day." | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
In the revised security advisory, Microsoft acknowledged the new attack vector.
“An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location,” the company said in the advisory. “When the user browses the website using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked.”
That language was a change from earlier statements by Microsoft, which had said that attackers could hijack Windows PC by setting up a remote network share, a much more complicated task than building a malware-spreading website. In the earlier advisory, Microsoft also said that “the malicious binary may be invoked; the most recent warning instead said “the malicious binary will be invoked [emphasis added in both cases].
Last Friday, Microsoft confirmed that Windows contained a flaw in the parsing of shortcut files, the small files displayed by icons on the desktop, on the toolbar and in the Start menu that launch applications and documents when clicked. By crafting malicious shortcuts, hackers could automatically execute malware whenever a user viewed the shortcut or the contents of a folder containing the malevolent shortcut.
All versions of Windows are at risk, including the recently retired-from-support Windows XP SP2 and Windows 2000.
So far, attacks exploiting the bug appear to be limited to targeted assaults against software that manages large-scale industrial control systems in major manufacturing and utility companies. Siemens AG has confirmed that one of its customers, a German manufacturer it declined to name, had been victimized by an attack exploiting the shortcut bug.
