Microsoft releases patch for Windows Shell vulnerability
by Steve Ragan - Aug 2 2010, 18:10Microsoft has issued a patch for the widely covered Windows Shell vulnerability. The patch comes one week before the monthly set of patches from Redmond, and one week after the vulnerability itself was seen packaged with various Malware families.
The vulnerability stems from incorrect shortcut parsing, resulting in malicious code execution simply by viewing an infected folder. The flaw itself resides in how the icon for the shortcut is loaded by the Windows Shell.
When the icon is loaded, Windows will not validate some of the parameters in a specially crafted shortcut file. Instead, Windows will blindly load whatever target the shortcut tells it to.
Wolfgang Kandek, the CTO of Qualys, reminded IT administrators and home users alike that while the primary attack vectors for the Windows Shell (or LNK) vulnerability are USB drives and shared network drives, it is possible to target end users by other means.
“Remote attacks through e-mail or websites are theoretically possible, but require multiple steps and user interaction,” Kandek said.
In a recent interview with The Tech Herald, Jamz Yaneza, Threat Research Manager for TrendMicro, said that not only was his company seeing attacks leveraging the LNK vulnerability in the wild, but other attack vectors, such as embedding malicious shortcuts in Word Documents, open the attack further than initially seen.
Shortly after we talked to Yaneza, security firm ESET reported the discovery of two Malware families using the vulnerability to spread. This discovery was mirrored later by several other security firms, and even Microsoft themselves.
“Although there have been multiple families that have picked up this vector, one in particular caught our attention this week– a family named Sality, and specifically Sality.AT,” Microsoft said in a Malware Protection Center blog post on Friday.
In addition to being one of the largest Malware families online this year, “Sality is a highly virulent strain,” Microsoft explained.
“It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security, and then download other Malware.”
Since July 25, attempts to leverage the LNK vulnerability have shot up to almost 8,000 attempts a day, based on the data from July 29. While small in the grand scale of things, the figures show that criminals are quick to jump on a bandwagon.
While many are sending kudos and deserved praise to Microsoft for making the Windows Shell vulnerability a high priority, according to Ben Greenbaum, the senior research manager for Symantec Security Response, the threat itself isn’t likely to go away simply because a patch has been released.
“The .LNK vulnerability is quite trivial to exploit,” Greenbaum said. “So despite a fix being issued, I don’t think we’ve seen the last piece of malware seeking to take advantage of it. Computer users and IT administrators would do well to patch this one right away.”
Microsoft customers with Automatic Updates activated will need to take no action, as the patch will be pushed and installed automatically. At the same time, operation teams within the Enterprise are encouraged to test and deploy the patch as soon as possible.
The Windows Shell vulnerability affects every Windows operating system from Windows XP SP3 to Windows 7, and Server 2003 to Server 2008. We’ve attempted to get more information on the actual fix itself, given that the previously mitigations and FixIt solution from Microsoft severely limited usability. As we learn more, we’ll update this report.
Windows XP SP2 and Windows 2000 users are also vulnerable to attacks leveraging this vulnerability, but due to product lifecycle limits, there is no patch for those platforms.
More information is here.
Comment on this Story