Microsoft confirms USB trojan hole
In a security advisory, Microsoft confirms the security flaw in the code for processing short-cuts (.lnk files), which can be exploited to infect Windows systems simply when a USB stick is opened. A few days ago, it was discovered that a worm is apparently already exploiting this hole to spy on computers.
All Windows versions still supported since Windows XP are affected. The flaw occurs when the Windows shell tries to read an .lnk file's icon. In the process, the shell does not sufficiently check a parameter, allowing attackers to execute arbitrary code – for instance, when the user opens a USB stick in Explorer. However, Microsoft's Security Response Center (MSRC) writes that the hole can also be exploited remotely via WebDAV and network shares.
A patch for the hole is not yet available, nor has Microsoft said when one will be made available. For the time being, workarounds provide the only protection. Microsoft’s security team recommends switching off the display of icons for .lnk files by changing the registry value
But first, you should backup your current settings. Furthermore, the Web Client service can be switched off to prevent attacks via WebDAV.
The currently known attacks are highly professional. Among other things, they contain a rootkit which embeds itself in the system as a digitally signed Realtek driver and spies on controllers of large, distributed systems (SCADA, Supervisory Control and Data Acquisition). Security experts speculate that the attacks may be organised by as yet unidentified secret services.
The good thing is that the attacks are apparently still quite targeted, so that the malicious software has not gone into wide circulation. But now that the problem is known, others can be expected to jump on the bandwagon and exploit the flaw to install bot network clients and spyware. In other words, you should batten down the hatches on your Windows systems quickly. And hope that Microsoft will provide a quick fix soon.
- Security Advisory 2286198 Released, a MSRC blog post.