Microsoft warns of Windows shortcut drive-by attacks

Hackers can exploit new zero-day by luring users to nasty sites

Microsoft on Tuesday said that hackers could exploit the unpatched Windows shortcut vulnerability using drive-by download attacks that would trigger an infection when people simply surf to a malicious Web site.

A noted vulnerability researcher today confirmed that such attacks are possible.

In the revised security advisory published yesterday Microsoft acknowledged the new attack vector.

"An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location," the company said in the advisory. "When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked."

That language was a change from earlier statements by Microsoft, which had said that attackers could hijack Windows PC by setting up a remote network share, a much more complicated task than building a malware-spreading Web site. In the earlier advisory, Microsoft also said that "the malicious binary may be invoked; the most recent warning instead said "the malicious binary will be invoked [emphasis added in both cases].

Last Friday, Microsoft confirmed that Windows contained a flaw in the parsing of shortcut files, the small files displayed by icons on the desktop, on the toolbar and in the Start menu that launch applications and documents when clicked. By crafting malicious shortcuts, hackers could automatically execute malware whenever a user viewed the shortcut or the contents of a folder containing the malevolent shortcut.

All versions of Windows are at risk, including the recently retired-from-support Windows XP SP2 and Windows 2000.

So far, attacks exploiting the bug appear to be limited to targeted assaults against software that manages large-scale industrial control systems in major manufacturing and utility companies. Siemens AG has confirmed that one of its customers , a German manufacturer it declined to name, had been victimized by an attack exploiting the shortcut bug.

If drive-by attacks can be launched using the vulnerability, it will be relatively easy for other hackers to join the party and expand attacks to the general PC population. Most security experts consider drive-by attacks among the most dangerous of all threats, since they require only that users be duped into browsing to a malicious site or a legitimate site that's been compromised.

HD Moore, the chief security officer of Rapid7 and the creator of the well-known Metasploit hacking toolkit, confirmed that drive-by attacks are feasible in some situations.

After additional testing and tweaking of an exploit that was added to Metasploit earlier this week, Moore said he was able to conduct drive-by attacks that leveraged the shortcut flaw. But there are some caveats, he said in several e-mailed replies to Computerworld's questions.

"IE8 still requires confirmation before going from Internet zone to [a] WebDAV share," he said, referring to an Internet Explorer security setting. "It is an easy drive-by on IE6, but there is still user interaction with newer versions of IE."

The attack doesn't work when users browse with Mozilla's Firefox or Google 's Chrome, Moore said.

He also spotted different results that varied by the version of Windows running the PC, echoing comments from other researchers that drive-by attacks using IE6, IE7, IE8 and IE9 were successful on Windows XP, but not on the newer Windows 7 . "It looks like Windows 7 has some additional magic which creates a pop-up [warning], and I suspect Vista is the same," said Moore.

Also on Tuesday, Microsoft admitted that shortcut-based exploits could be embedded into Office documents, which would likely be delivered as e-mail attachments.

Microsoft promised to patch the problem, but has given no hint about when it will complete that work. The next regularly scheduled security updates are due to ship on Aug. 10.

In lieu of a patch, Microsoft has recommended that users disable the displaying of shortcuts in Windows. Yesterday it published an automated "Fix it" tool that lets users switch off shortcuts with a single click.

However, that advice effectively cripples the computer, something Microsoft acknowledged when it said turning off shortcuts would "impact usability" of the machine. Disabling shortcut transforms the usual graphical icons on the desktop and elsewhere into generic white icons, making it impossible for users to tell at a glance which will launch IE, and which represents a Microsoft Word document.

Moore remained confident that Microsoft would be able to quickly patch the problem, perhaps within two weeks.

"The core issue may be as simple as passing the LOAD_LIBRARY_AS_IMAGE_RESOURCE flag into the LoadLibrary() call used to map the DLL in order to extract the [shortcut] icon," he explained in another e-mail. "The question is whether the API used needs more than 'resource-only' access in order to function properly."

Users can access the Fix it tool that disables shortcuts from Microsoft's support site.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systems

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?