Tool Blunts Threat from Windows Shortcut Flaw

Microsoft has released a stopgap fix to help Windows users protect themselves against threats that may try to target a newly discovered, critical security hole that is present in every supported version of Windows.

Last week, KrebsOnSecurity.com reported that security researchers in Belarus had found a sophisticated strain of malware that was exploiting a previously unknown flaw in the way Windows handles shortcut files. Experts determined that the malware exploiting the vulnerability was being used to attack computers that interact with networks responsible for controlling the operations of large, distributed and very sensitive systems, such as manufacturing and power plants.

When Microsoft initially released an advisory acknowledging the security hole last week, it said customers could disable the vulnerable component by editing the Windows registry. Trouble is, editing the registry can be a dicey affair for those less experienced working under the hood in Windows because one errant change can cause system-wide problems.

But in an updated advisory posted Tuesday evening, Microsoft added instructions for using a much simpler, point-and-click “FixIt” tool to disable the flawed Windows features. That tool, available from this link, allows Windows users to nix the vulnerable component by clicking the “FixIt” icon, following the prompts, and then rebooting the system.

Be advised, however, that making this change could make it significantly more difficult for regular users to navigate their computer and desktop, as it removes the graphical representation of icons on the Task bar and Start menu bar and replaces them with plain, white icons.

For instance, most Windows users are familiar with these icons:

According to Microsoft, after applying this fix, those icons will be replaced with nondescript (and frankly ugly) placeholders that look like this:

There are currently no signs that this vulnerability is being used in anything but targeted attacks against some very important targets. That said, the situation could change rapidly soon. For one thing, a proof-of-concept exploit is now publicly available and embedded into open-source attack tools. And while initial reports suggested the primary means of exploiting this flaw required someone to introduce a strange USB device into their system, experts have since shown that the exploit can also be used to spread and launch malicious programs over network shares.

The SANS Internet Storm Center on Monday made the relatively rare decision to change its threat warning level to yellow over this vulnerability, warning that “wide-scale exploitation is only a matter of time.”

“The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch,” SANS incident handler Lenny Zeltser wrote. “Furthermore, anti-virus tools’ ability to detect generic versions of the exploit have not been very effective so far.”

Both of these potential exploit paths probably make this vulnerability far more dangerous for corporate and business users than for home users. That said, having ugly Start Menu and Taskbar icons for a few weeks until Microsoft issues a real fix for this flaw may be a small price to pay for peace of mind. Also, the FixIt changes can be undone simply by visiting this link and clicking the FixIt icon under the “Disable This Workaround” heading.

Further reading:

Siemens: German Customer Hit by Industrial Worm

Mitigating Link Exploitation with Ariad

ICS-CERT: USB Malware Targeting Siemens Control Software (PDF)

Оставьте комментарий