Security Alert: Shortcut file Vulnerability

This vulnerability is due to the failure of Microsoft Windows to properly obtain icons for LNK files. Microsoft uses LNK files, commonly referred to as “shortcuts,” as references to files or applications.

By convincing a user to display a specially-crafted LNK file, an attacker may be able to execute arbitrary code that would give the attacker the privileges of the user. Viewing the location of an LNK file with Windows Explorer is sufficient to trigger the vulnerability.

By default, Microsoft Windows has AutoRun/AutoPlay features enabled.

These features can cause Windows to automatically open Windows Explorer when a removable drive is connected, thus opening the location of the LNK and triggering the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well. Depending on the operating system and AutoRun/AutoPlay configuration, exploitation can occur without any interaction from the user.

Microsoft has released Microsoft Security Advisory 2286198 in response to this issue. Users are encouraged to review the advisory and consider implementing the workarounds listed to reduce the threat of known attack vectors. Please note that implementing these workarounds may affect functionality. The workarounds include

* disabling the display of icons for shortcuts

  • Click Start, click Run, type Regedit in the Open box, and then click OK
  • Locate and then click the following registry key:
  • Click the File menu and select Export
  • In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save
    Note This will create a backup of this registry key in the My Documents folder by default
  • Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
  • Restart explorer.exe or restart the computer

* disabling the WebClient service

  • Click Start, click Run, type Services.msc and then click OK.
  • Right-click WebClient service and select Properties.
  • Change the Startup type to Disabled. If the service is running, click Stop.
  • Click OK and exit the management application.

In addition to this work around, I have a suggestion that is somewhat similar, disable AutoRun as described in Microsoft Support article 967715.  This will keep any programs from auto-running.  Note that if you inset a USB Stick or CD in the drive, it wont run unless you go in an run the file manually, but you’ll be more secure.

No tags for this post.

Related Posts

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.