More details and attack vectors emerge for Windows Shell vulnerability
by Steve Ragan - Jul 21 2010, 15:24Microsoft has confirmed it is working on a patch for the Zero-Day vulnerability that has opened a severe attack vector on Windows. In addition, it has released a FixIt tool to help mitigate the problem. However, is the tool worth the potential headache?
The Redmond-based software company has said its working on a patch to address the vulnerability in the Windows operating system which is the result of improper shortcut handling. The flaw itself resides in how the icon for the shortcut is loaded by the Windows Shell.
When the icon is loaded, Windows will not validate some of the parameters in a specially crafted shortcut file. Instead, it will blindly load whatever target the shortcut tells it to. The details and code needed to pull off the exploit is now public knowledge, which means the race is on to patch things before it is widely exploited by criminals.
While it is working on a patch, Microsoft has released a FixIt tool to customers disabling *.LNK (shortcuts) and *.PIF icons on Windows XP, Windows Vista, Windows 7, as well as Server 2003 and 2008.
The catch to using this option is that the icons representing all applications, which are used by a majority of users to navigate the system and launch programs, will be replaced with a generic image. This will surely cause mass confusion if it is implemented in an Enterprise or SMB environment, creating a stressful situation for IT teams.
The FixIt solution from Microsoft can be found by clicking here.
In a blog post written earlier this week, Roel Schouwenberg, senior anti-Virus researcher with Kaspersky, correctly guessed that the vulnerability is embedded deep within the core of the Windows operating system.
From Schouwenberg's point of view, “as this functionality is pretty standard, it's going to be harder to create effective generic detections which don't cause false positives.”
“I suspect Microsoft is going to have a very hard time patching this one. There doesn’t seem to be any security model associated with how Windows handles shortcuts,” he added. “This whole situation reminds me a bit of vulnerabilities in the WMF format – it’s another case of legacy code coming back to bite Microsoft.”
Administrators are between a rock and a hard place this time around. Until Microsoft pushes out a fix for the *.LNK vulnerability, it is a case of risking massive frustration, confusion and panic, by implementing the recommended mitigations, or do nothing and hope layered defenses will work.
Considering the nature of the vulnerability itself means an infected USB drive, network share, or folder anywhere on a user’s system needs only to be viewed to trigger the exploit, IT teams will need to make some tough calls.
This is compounded when you consider that document types allowing embedded shortcuts, such as those used in Microsoft Office, only increase the available attack surface, as they too are vulnerable.
It is hard to consider all of the risks the Windows Shell vulnerability exposes a network or business to without sensationalizing the flaw or attacks. This is where a solid incident response plan will come in handy. IT teams can only do what they can while waiting for an official patch.
Comment on this Story