Microsoft Blindsided by Another Zero-Day Attack

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Microsoft acknowledged that a new zero-day attack on Windows is underway on the Web -- this one already involved in live exploits "in the wild," the company said.

The latest zero-day was found in all supported versions of Windows, including Windows 7 and Windows Server 2008 Release 2 (R2), according to a Microsoft (NASDAQ: MSFT) Security Advisory issued late Friday.

The security flaw results from the way that a component called the Windows Shell processes shortcuts -- such as shortcuts to applications in the form of icons that the user puts on her or his desktop. Problems arise from the way that the shell processes shortcuts, the .LNK files, because it doesn't correctly validate the files for safety.

Microsoft's advisory said that so far the company is aware of "limited, targeted attacks."

Unfortunately for many users, last week Microsoft quit providing any support, including bug fixes, for Windows XP Service Pack 2 (SP2). However, XP SP3 is still supported, so if or when Microsoft addresses this latest zero-day attack, SP3 users would get the fix.

Additionally, last week Microsoft also discontinued support for Windows 2000 SP4.

According to the advisory, the most common attack vector for malicious hackers is via removable file storage devices, such as portable hard drives and USB memory sticks.

An exploit for the security flaw, dubbed Stuxnet, has already surfaced.

"[Stuxnet] takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction," Tareq Saade, a spokesperson said in a post on the Microsoft Malware Protection Center blog.

A successful exploit of the flaw could lead to a complete compromise of the user's system.

One piece of good news -- the Stuxnet malware signature is already intercepted by Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway and the Windows Live Safety Platform, Dave Forstrom, a spokesperson for Microsoft's Trustworthy Computing group, said in an e-mail to InternetNews.com.

Microsoft has not yet decided whether the flaw needs a patch but, as usual in such circumstances, the Security Advisory said that the company is currently evaluating its options and monitoring attack activity on the Web, and will release a patch if ultimately deemed necessary.

In the meantime, the company has posted two workarounds.

One requires editing the Windows Registry, and involves disabling display of icons for shortcuts. The other disables the Web Client service.

Additionally, systems that have "AutoPlay" disabled, the default for Windows 7, cannot be automatically targeted. "For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited," the advisory said.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.