Microsoft warns of Windows shortcut drive-by attacks
Hackers can exploit new zero-day by luring users to nasty sites
Computerworld - Microsoft on Tuesday said that hackers could exploit the unpatched Windows shortcut vulnerability using drive-by download attacks that would trigger an infection when people simply surf to a malicious Web site.
A noted vulnerability researcher today confirmed that such attacks are possible.
In the revised security advisory published yesterday Microsoft acknowledged the new attack vector.
"An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location," the company said in the advisory. "When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked."
That language was a change from earlier statements by Microsoft, which had said that attackers could hijack Windows PC by setting up a remote network share, a much more complicated task than building a malware-spreading Web site. In the earlier advisory, Microsoft also said that "the malicious binary may be invoked; the most recent warning instead said "the malicious binary will be invoked [emphasis added in both cases].
Last Friday, Microsoft confirmed that Windows contained a flaw in the parsing of shortcut files, the small files displayed by icons on the desktop, on the toolbar and in the Start menu that launch applications and documents when clicked. By crafting malicious shortcuts, hackers could automatically execute malware whenever a user viewed the shortcut or the contents of a folder containing the malevolent shortcut.
All versions of Windows are at risk, including the recently retired-from-support Windows XP SP2 and Windows 2000.
So far, attacks exploiting the bug appear to be limited to targeted assaults against software that manages large-scale industrial control systems in major manufacturing and utility companies. Siemens AG has confirmed that one of its customers, a German manufacturer it declined to name, had been victimized by an attack exploiting the shortcut bug.
If drive-by attacks can be launched using the vulnerability, it will be relatively easy for other hackers to join the party and expand attacks to the general PC population. Most security experts consider drive-by attacks among the most dangerous of all threats, since they require only that users be duped into browsing to a malicious site or a legitimate site that's been compromised.
HD Moore, the chief security officer of Rapid7 and the creator of the well-known Metasploit hacking toolkit, confirmed that drive-by attacks are feasible in some situations.
After additional testing and tweaking of an exploit that was added to Metasploit earlier this week, Moore said he was able to conduct drive-by attacks that leveraged the shortcut flaw. But there are some caveats, he said in several e-mailed replies to Computerworld's questions.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts