On July 16, Microsoft confirmed and added another Windows threat to their long list of recently discovered Windows bugs. This time it is related to shortcuts and is being exploited via vulnerability in Windows Shell, the main graphical user interface. It is reported that this is exploited mainly, using USB thumb drives.
According to the statistics of the Microsoft team tasked with creating the antivirus signatures, have tracked 5,000+ attempts to hack in to Windows systems. This figure was as of July 15 heaven knows how many fold since then it would have increased to date.
Almost all the Windows operating systems are exposed to this threat. But the hardest hit is the Windows XP Service Pack 2. No matter how critical the threat is XP SP2 will not receive the fix, since it was cast out by Microsoft on July 13, 2010.
Large scale computer systems used by major businesses are prone to hacking attempts and are not much of a concern to average users. It doesn’t mean your computer system is safe, but you are at the bottom of the list. How does this work? I think even the basic Windows users are aware what shortcuts are. Shortcuts are links to a file or a programme. When you double-click a shortcut, the file/ program is opened. This saves lots of time since we do not have to navigate to the exact location of the original file or program. These are implemented as files with the LNK extension.
A hacker can gain the entrance to a system by producing a file with LNK extension along with malicious code. By accessing the shortcut, the code will be executed thus leaving the system at the hacker’s mercy. This vulnerability can be exploited through removable drives and can also be distributed over networks.
When the vulnerability is exploited, an attempt to load an icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut. When exploited successfully, the hacker can run arbitrary code on the targeted system. If the intended user has administrative user rights, the hacker can achieve complete control of the system. In such situations an attacker could install programs, view, change, or delete data or create new accounts with full user rights. Impact on simple user accounts with few user rights on the system could be less impacted.
It is reported that this vulnerability is used in conjunction with a clan of malware which is known as ‘Stuxnet’. The Stuxnet malware includes a Trojan horse which downloads further attack code along with a rootkit (a software code designed to gain administrator-level control over a computer system without being detected).
Disabling the autoplay function is a good idea. However, it does not alleviate the threat but delays it, as the user would have to launch Windows Explorer or a similar application manually and browse to the affected folder of the removable disk. Within networks it is a good idea to impede the outbound server massage block (SMB) connections to minimize remote exploitation.
An automated Microsoft fix is available to fix this issue. You can find this at Microsoft Knowledge base http://support.microsoft.com/kb/2286198. You can also manually fix this by editing the registry. For that you need to edit two registry keys. These are;
HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
HKEY_CLASSES_ROOT\piffile\shellex\IconHandler
You can see that there are two keys here. This is because this threat concerns two types of shortcuts. The first is the LNK files which we already know. The second type with PIF extension is related to MS DOS programs.
It is a good idea to back up the registry before making any changes since incorrect editing can cause serious problems that may require you to reinstall your operating system. What you need to do is, find the relevant registry key, select the value on the right side pane of the Registry Editor and hit Enter to edit the value and Delete the existing value.
However it must be noted that when this method is implemented, the system may display most icons as a “white” default object icon, which does impact usability. If you are using the Microsoft’s fix, a workaround is also available at the same page.
|