Security Bulletins

Vulnerability in Windows Shell

Background

On July 16, 2010, Microsoft released Advisory 2286198 which stated that Microsoft is investigating reports of targeted attacks exploiting the way Windows displays icons of shortcut (.lnk) files.

Impact

Browsing a folder that contains a maliciously crafted Windows shortcut can allow an attacker to run code at the level of the logged on user. This can compromise a user's computer regardless of the location of the malicious file. This can be a local folder on the hard drive, a USB attached drive, a mapped drive, or a drive connected via WebDAV. Devices and drives that are shared by a large number of users present a greater risk than devices used by a single user.

Platforms Affected

This affects all supported versions of Microsoft Windows.

Local Observations

Before the Microsoft advisory was published, this attack was only used in very limited instances. After the announcement of the vulnerability by security researchers, easy methods of crafting malicious .lnk files have appeared on the Internet and we expect use of the this attack vector to increase.

UISO Recommendations

On August 2, 2010, Microsoft released an out of band (outside the normal patch schedule) bulletin, MS10-046 to address the underlying vulnerability. This patch is considered critical on all supported Windows Operating Systems and should be applied as soon as possible.

Limit exposure to possibly malicious shortcut files by disabling the Autorun functionality in Windows. Instructions for this can be found on the Microsoft web site in KB article 967715.

Run up-to-date antivirus software. Symantec stated that Symantec Endpoint Protection has been able to detect this threat since July 16, 2010.

Workarounds

If patching is not possible, the only way to prevent exploitation is to disable displaying of icons for shortcuts. If implemented, this workaround needs to be applied on any computer that is used to view shortcut (.lnk) files or folders that may contain shortcuts. This is done via a registry edit that is listed in the Microsoft Advisory. The registry setting that controls this feature is not able to be s