Microsoft Patches Zero-Day Security Hole in Windows Shortcuts
IT admins get a fix to protect against malware attacks using specially crafted .LNK files that can break into all versions of Windows.
As expected, Microsoft on Monday delivered a patch for a critical zero-day vulnerability discovered last month in all supported versions of Windows, from XP through Windows 7.
Microsoft's (NASDAQ: MSFT) so-called "out-of-band" patch addresses a two-week-old security hole in the way that a component called the Windows Shell processes shortcut .LNK files. The files represent links to applications and are displayed as icons on a user's Windows desktop.
The problem stems from the fact that .LNK files can be incorrectly validated as being safe when processed by the shell. The most common attack vector for attacks is via removable file storage devices like USB memory sticks and portable hard drives, according to Microsoft.
In early reports, Microsoft security response personnel indicated that there had been only "limited targeted" attacks on the vulnerability in the wild. But by last week, Microsoft said that attacks on the Web have been escalating since the flaw became public and announced the imminent availability of the out-of-band patch.
Microsoft normally issues the vast majority of its security patches on the second Tuesday of each month -- a date thus nicknamed "Patch Tuesday." Most security holes, even many ones rated by Microsoft as "critical" -- the most severe ranking on Microsoft's four-tier scale -- are handled via patch releases on Patch Tuesday.
However, Microsoft will sometimes ship a patch as soon as it's been coded and thoroughly tested rather than wait for the next Patch Tuesday drop. That is referred to as an out-of-band release, and typically occurs only when a vulnerability with the potential to cause serious system compromise is already being exploited in the wild after catching the developer unaware. (Thus the term "zero-day" vulnerability, so named because the exploit's emergence is the first notice software developers have been given of a threat, and because they have had zero days to prepare a patch in response as a result.)
As soon as the attacks surfaced last month, Microsoft issued a Security Advisory that warned systems administrators and PC help desk personnel about the problem. It also published a workaround.
By now, the exploit for the flaw has been incorporated into several families of malware, according both to Microsoft's Security Bulletin accompanying the new patch, as well as to other security experts.
"Originally it was reported the issue was being actively exploited in the Stuxnet malware and, after expanding to a half a dozen different variants of Stuxnet, it is now reportedly being used within other malware, including 'Sality,' 'Vobfus,' and 'Chymine,' Paul Henry, security and forensic analyst at security firm Lumension, said in a blog post Friday.
Because the patch covers all supported versions of Windows, installing the release is especially urgent. However, there is one "gotcha" that could turn into a nightmare for support staff: Last month, Microsoft ended support for Windows 2000 Service Pack 4 (SP4) and Windows XP SP2.
As a result, there will be no supported .LNK vulnerability patch for XP SP2 -- only for SP3 -- and no supported patch at all for Windows 2000.
Microsoft strongly recommends that users quickly upgrade to XP SP3, which is still supported until April 2014, or to upgrade to Windows 7, as soon as possible.