Exploit demonstrates critical Windows .lnk vulnerability
A proof of concept exploit for the unpatched vulnerability in the code for processing short-cuts (.lnk files) has been circulating since yesterday (Sunday). Source code for the exploit also appears to be in circulation. As soon as the Windows shell attempts to load the icon from the specially crafted .lnk file, the exploit sends the message "SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!" to the Windows debugger to demonstrate the success of the exploit.
Attackers could use this vulnerability to execute arbitrary code without requiring a user to execute a suspicious-looking .exe file. The malicious code could also be executed via WebDAV or via a shared network drive – it does not need to be located on a local drive.
Publication of the exploit increases the pressure on Microsoft to fix the security vulnerability, which was first disclosed a week ago. Reportedly, all versions of Windows since XP that are still supported by Microsoft are affected. Attacks to date have had all the hallmarks of sophisticated industrial espionage, but criminals are likely to be setting up much larger scale attacks aimed at a less select group of victims.
To protect against the attack, Microsoft is advising users to disable icon display for .lnk files by changing the registry value
HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler. Users should backup their previous settings before making the change. Additionally, it's possible to disable the web client service in order to prevent attacks via WebDAV.
- Trojan spreads via new Windows hole, a report from The H.