Microsoft Windows Security Advisory Flawed, Pros Say

UPDATED: Security researchers are expressing concern that Microsoft's security advisory about a Windows vulnerability is misleading, as users do not need to click on malicious icons in order to trigger malware exploiting the flaw, which, according to all sides, has already been the subject of attacks.

Some security pros are taking issue with Microsoft's advisory on a zero-day vulnerability one researcher referred to as "simple to exploit."

The vulnerability lies in the Windows Shell component. While Microsoft asserted in its advisory July 16 that the result of the vulnerability is that "malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut," security researchers are stressing that it is not necessary for users to click on an icon.

"All you do is open a device/network share/WebDav point that has the shortcut, and boom! It runs whatever you tell it to," said Sophos Senior Security Advisor Chester Wisniewski. "It is downright simple to exploit. Any criminal with the most basic of skills can take advantage of this flaw. We have not seen much activity in the wild yet, but now that a proof of concept is posted it is likely to become a major issue as the week rolls on."

During the weekend of July 17, a security researcher going by the moniker Ivanlef0u published a working exploit for the flaw, which was already being used to infect computers via USB drives with malware known as Stuxnet.

Sean Sullivan, security advisor for North American Labs at F-Secure, wrote on the company's blog that F-Secure's analysis indicated clicking on an icon was not required, and simply browsing the removable drive was enough to trigger malware. In addition, disabling the AutoPlay feature on Windows 7 "isn't much of a mitigating factor for the vulnerability" despite what's stated in the advisory, he said.

"It's only: click Start, click Computer and click [Removable] Disk," Sullivan wrote. "Three clicks and you're at risk. But still, organizations should disable the AutoPlay feature in order to limit Windows 7 social engineering tricks."

As workarounds, Microsoft suggested that users disable the WebClient service as well as the displaying of icons for shortcuts. However, while these would solve the problem, Wisniewski noted that disabling icons could cause confusion for users, while disabling the WebClient service used for WebDav may be limiting for organizations that rely on Microsoft SharePoint.

"I think Microsoft's workarounds are difficult to implement and somewhat cripple the ability to use Windows," he said. "Instead I recommend people implement an SRP (software restriction policy) disallowing execution of file outside of C:\."

Microsoft did mention on its Malware Protection Center blog that "simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction."

Jerry Bryant, Microsoft group manager for response communications, said there are plans for a security update to address the issue but the release timetable has yet to be determined.

"We continue to investigate mitigations and workarounds and will update the advisory with new information as we have it available," Bryant said.

*UPDATE: Microsoft has since updated the advisory to address concerns.