Free Sophos tool blocks Windows shortcut attacks
Microsoft won't endorse measure, tells user to cripple shortcuts instead
Computerworld - The security firm Sophos released a tool on Monday that it claimed will block any attacks trying to exploit the critical unpatched vulnerability in Windows' shortcut files.
The tool, dubbed "Sophos Windows Shortcut Exploit Protection Tool," will protect users until Microsoft releases a permanent patch for the problem, said Chet Wisniewski, a senior security advisor at Sophos.
"The tool replaces Windows' icon handler, so that anything that calls the handler, we're going to intercept," Wisniewski told Computerworld.
But Microsoft refused to condone the Sophos tool, a position it takes whenever third-party solutions to a Windows bug are introduced.
"Microsoft does not endorse third-party tools," said Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC). "We recommend that customers apply the workaround in Security Advisory 2286198, as it helps to protect customers from all known attack vectors."
The vulnerability is in how the Windows parses shortcuts, the small files that graphically represent links to programs and documents. Shortcuts are a key component of the Windows desktop, including the Start menu and the taskbar.
The bug was first described more than a month ago by VirusBlokAda, a little-known security firm based in Belarus. It attracted widespread attention only after security blogger Brian Krebs reported on it July 15.
A day later, Microsoft confirmed the bug and admitted that attackers were already exploiting the flaw.
All versions of Windows contain the vulnerability, including the preview of Windows 7 Service Pack 1 (SP1), and the recently retired-from-support Windows XP SP2 and Windows 2000.
Exploit code has been widely distributed on the Internet, and Microsoft and others have spotted several attack campaigns based on the bug.
Initial attacks using the shortcut vulnerability were aimed at major manufacturing and utility companies. Two weeks ago, Siemens alerted customers of its Simatic WinCC management software that attacks using the vulnerability were targeting computers used to manage large-scale industrial control systems, often called SCADA, for "supervisory control and data acquisition."
Hackers gained control of computers at at least one German customer of Siemens with the shortcut-exploiting "Stuxnet" worm, the electronics giant has confirmed.
Nearly 60% of the PCs identified by security vendor Symantec that have been infected by Stuxnet are located in Iran, a statistic that's sparked speculation that the country's infrastructure may have been targeted for attack.
Microsoft's advice has been to disable the displaying of shortcuts, a move many users may resist since it makes much of Windows almost unusable. The Sophos tool leaves shortcut icons untouched.
Wisniewski defended Sophos' release of the tool. "This is a reasonably unique situation in that we can put ourselves in the way of attacks," he said. "We're not suggesting that users not apply the Microsoft patch when it's ready. And the tool doesn't modify Windows or other files, so it's not really a patch."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Malware and Vulnerabilities White Papers | Webcasts