Microsoft Issues Shortcut Vulnerability Patch

Microsoft issued an out-of-band patch to address a critical vulnerability in the way Windows parses .LNK shortcut files, which opens the door to an attack. Malware associated with the vulnerability has already been spotted in the wild.

Microsoft released an out-of-band patch to address a "critical" vulnerability in how Windows handles shortcuts, as outlined in Microsoft Security Bulletin MS10-046.

"This security update addresses a vulnerability in the handling of shortcuts that affects all currently supported versions of Windows XP, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2," Christopher Budd, response manager for Microsoft's Trustworthy Computing division, wrote in an Aug. 2 posting on the Microsoft Security Response Center blog. "As our colleagues over in the MMPC [Microsoft Malware Protection Center] have noted, several families of malware have been attempting to attack this vulnerability. The security update protects against attempts to exploit this issue."

The vulnerability targets the way Windows parses .LNK shortcut files. In theory, an attacker could exploit the vulnerability locally, via a malicious USB drive, or over network shares and WebDAV. Documents that support embedded shortcuts could also be leveraged for an attack.

Malware associated with the vulnerability includes Stuxnet, which targets Siemens' SCADA (supervisory control and data acquisition) software used by industrial companies. Specifically, Stuxnet uses default passwords in an attempt to connect with databases associated with SCADA systems, in order to collect information and obtain possibly vital files. Siemens responded with a patch July 22 for organizations at risk of attack.

Within a few days of Stuxnet's appearance, Sophos security researchers found two more malware exploiting the Windows vulnerability: one a keylogging Trojan termed "Chymin-A" by Sophos, and the other a "worm written in obfuscated Visual Basic" termed Dulkis-A.

Microsoft made a handful of high-profile announcements at this July's Black Hat 2010 security conference, including Adobe Systems' decision to begin informing vendors of software vulnerabilities via the Microsoft Active Protections Program.

Originally launched in October 2008, MAPP was built with the intention of delivering vulnerability information to security software vendors ahead of Redmond's regular Patch Tuesday updates. Adobe plans to share information about its product vulnerabilities with 65 global MAPP members.

Microsoft also announced EMET (Enhanced Migration Experience Toolkit), which "brings newer security mitigations to older Microsoft platforms and applications," in the company's words, and blocking targeted attacks.