Warnings of a new Microsoft Windows flaw, as it investigates targeted attacks in the Shell component

News by Dan Raywood

Warnings have been made over a new zero-day vulnerability that affects all versions of the Windows operating system.

Warnings have been made over a new zero-day vulnerability that affects all versions of the Windows operating system.

Just six days after Microsoft's monthly Patch Tuesday covered recently exploited flaws, Microsoft issued an advisory for a problem affecting all current Windows Operating Systems on Friday. It claimed that it was investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Windows.

It said that the vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut.

This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, users would have to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

David Harley, director of malware intelligence at ESET, pointed out that USB devices are not the only potential vector, as network shares and webDAV shares can also be used to distribute malicious links. He notes that all of the affected platforms, essentially all current Windows versions, are listed in the advisory, but it is unlikely that there will be a patch for XP SP2 or Windows 2000, which have reached the end of their support life.

Security blogger Brian Krebs said: “If this truly is a new vulnerability in Windows, it could soon become a popular method for spreading malware. But for now, this threat seems fairly targeted.

"Independent security researcher Frank Boldewin said he had an opportunity to dissect the malware samples and observed that they appeared to be looking for Siemens WinCC SCADA systems, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.

Chester Wisniewski, senior security advisor at Sophos, claimed that the results of research ‘are not good news for Windows users'. He said: “It is important to think about this attack as two separate pieces, one that is a new zero-day vulnerability that could easily be adopted by any malware author, the other a unique payload that appears to be designed to go after some very specific infrastructure targets.”

Explaining the zero-day vulnerability, Wisniewski said: “The flaw is in how shell32.dll tries to load control panel icons from applets. By making a specially crafted shortcut pointing to a malicious file, you can make Windows Explorer blindly execute the malicious file when the location of the shortcut is merely browsed to.

“In this case the malicious file is a rootkit and a dropper that immediately hide the special shortcut (.lnk) files. Allowing executable code to load in the process of trying to retrieve an icon seems like a major oversight in the design of Windows.”

Wolfgang Kandek, CTO at Qualys, commented that the Microsoft advisory does not list Windows XP SP2 or Windows 2000 as being affected following the end of support for both operating systems last Tuesday.

He said: “We assume the attack works against both of them and attackers will surely take advantage of this security hole. We recommend upgrading your existing Windows XP SP2 installations to SP3 as soon as possible to be able to install the security update for this issue once Microsoft publishes it. Windows 2000 users face a bigger hurdle and they need to upgrade to an entirely new operating system.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews