Microsoft has said it is yet to be clear on when it will release a security update for the Windows flaw revealed at the end of last week.
It said that the time frame for the release is ‘to be decided', but in the meantime it has updated the security advisory to include an automated ‘Fix It' to automate the install of detailed workarounds.
Christopher Budd, security response communications lead at Microsoft, said: “In summary running the ‘Fix It' can help prevent attacks attempting to exploit this vulnerability. This workaround will disable some icons from being displayed so we recommend administrators test this before deploying it widely.”
The advisory has also been updated with new information regarding possible attack vectors, while a new workaround has been added that customers can implement to help protect their environments to block the download of LNK and PIF files.
Rik Ferguson, senior security advisor at Trend Micro, said that although Microsoft has stated that the ‘vulnerability is most likely to be exploited through removable drives' users should be on their guard against all shortcut files whose authenticity they cannot guarantee.
He said: “This same vulnerability could be exploited through contaminated file shares or something as simple as a malicious compressed archive such as a zip file. Worryingly, the malware that was first exploiting this vulnerability appeared to be highly targeted, looking for Siemens WinCC SCADA systems. SCADA systems are routinely used in the control of utilities such as power and water and also in large-scale manufacturing. Siemens were warning their customers of this as early as 14th July.”
He commented that the source code for this malware is now in open distribution and he expected to see widespread criminal adoption of this technique from this point. “For now the best defence against attacks is contained within the Microsoft Security Advisory; disable the displaying of icons for shortcuts and disable the WebClient service,” he said.
PandaLabs' technical director Luis Corrons pointed out that Microsoft said ‘the vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed'. He said: “In translation, any folder you open with a .lnk file can execute a file without asking for permission.
“The main problem is that this is not a vulnerability per se, but a feature. And it is included in all Windows versions, even those that are not supported anymore. And as it has to be fixed in each and every version of Windows, it will take more time to develop and test the patch. Microsoft already had a workaround, and now has published a user-friendly version of it. One of the side-effects when applying the patch is that you will lose the image of some of your icons.”
He urged everybody using Windows to apply the workaround, claiming that it is a matter of time before we start to see new malware using this technique to spread infections worldwide.
F-Secure said that the vulnerability presents the ideal time to establish a USB device policy and to migrate from Windows XP Service Pack 2 as soon as possible. As users of Windows Explorer open themselves to attack by viewing the content of their USB device, specially crafted shortcut (.lnk) files are allowed to execute code when the shortcut's icon is loaded to the GUI.
Sean Sullivan, security advisor for F-Secure, said: “This shortcut worm is very dangerous and the seriousness of the situation will increase until Microsoft releases a fix. As Microsoft Windows XP Service Pack 2 is no longer supported, even the fix won't fully resolve the issue. This is a major concern as F-Secure's research shows that SP2 is still being used by many organisations.
“This danger can be mitigated with best practices. If a company doesn't have a security policy regarding USB devices, they're at risk. Those that do have a policy should review it and make sure that it's being followed. This is time critical as summer vacation season is approaching.”