Some of the issues around the LNK zero-day vulnerability
Much of the security industry is talking about the .LNK zero-day vulnerability currently affecting all Windows platforms. There are several issues here. For a start, you don’t need to click anything to get infected: all that is necessary is the presence of a malformed Windows shortcut file. As Rahul Kashyap of McAfee Avert Labs comments:
This flaw can be triggered when explorer.exe (Windows Explorer) or iexplorer.exe (Internet Explorer) tries to render a malformed .LNK file that points to a malicious executable. The user need not double click on the .LNK file to trigger the vulnerability; just opening the folder containing the malicious shortcut is enough to get infected.
Microsoft 0day: Malformed Shortcut Vulnerability
A second issue is that since the problem is basically a design flaw in Windows itself, there is no easy workaround. If you open a folder containing one of these malformed shortcut files – bang – you’re got. But how do you know if a malformed .LNK is in the folder until you open it? Here’s the best workaround: switch off your computer.
So forget about workarounds and concentrate on keeping your AV defences up to date – and hope that your AV supplier gets and stays on top of the problem at least until Microsoft patches the problem. But this is the next issue: if you’re an XP SP2 user, there won’t be a patch. Eddy Willems thinks that this vulnerability will finally kill off XP SP2:
Take it from me: In the long end this lnk problem will kill MS Win2000 and MS Windows XP SP2 earlier as expected as this OS’ses will have no support or critical update anymore except if MS decides to make an exception, however I doubt it!
Also the number of Windows XP SP2 users is still very high… and do you really think that they care or are aware of their ‘not’ supported OS. Most of them don’t even know that they are using Windows XP, ‘they use Windows’.
The Microsoft LNK / USB worm / rootkit ‘issue’ will kill WIN XP SP2 and WIN2000 earlier…
The issue that intrigues me most, however, is the one raised by ESET’s Randy Abrams. In effect, we owe the perpetrator of the worm carrying this vulnerability a debt of gratitude. This is a vulnerability to kill for (and possibly not just figuratively). It is the sort of attack potential that governments and secret services and organised crime would pay a lot of money for; and they would then guard it vehemently.
I would imagine there is at least one intelligence person somewhere in the world with the singular goal of finding an executing whoever used the vulnerability as they did. It isn’t an affinity for SCADA systems that has them pissed off, it is the waste of an NSA grade exploit. This was a very, very potent weapon. In the hands of a skilled professional an exploit of this grade would do something like install remote access software on a target PC and then eliminate all traces of its existence. Think spy novel… Malicious files with the LNK vulnerability are left on a USB drive for the target to put in their PC. Immediately an undetected bot is installed with a rootkit and the lnk files are wiped from the drive. Why? Because you don’t want anyone to know that you can infect their computer just by having them look at the contents of the USB drive. By coupling this exploit with self-replication, a worm, the exploit is all over the world and certain to be discovered. Whoever is behind win32Stuxnet did not even realize what they actually had and of what value it really was. Well, there is another explanation. By making the malware spread all over the place they could obscure a specific target. Perhaps the attacker was going after one specific target and everything else was collateral damage. Possible, but still, you don’t waste an exploit this valuable in that manner.
It Wasn’t an Army
If you think about it, we don’t know that said secret services did not already know about, and were using, this vulnerability. And we absolutely don’t know how many other unknown vulnerabilities they are secretly, and protectively, using right now.