Microsoft has issued a temporary fix to prevent attackers from exploiting a serious zero-day vulnerability in Windows Shell that security researchers warn is being targeted by cybercriminals in limited attacks.
Christopher Budd, security response communications lead at Microsoft said a Windows Shell Fix It, a temporary automated patch that implements the recommended workaround, disables .LNK and .PIF file functionality. Administrators should test the workaround before widely deploying it, Budd said.
"We encourage customers to review this new information and evaluate it for their environment while our teams continue their work to develop a security update that addresses this vulnerability," Budd wrote on the Microsoft Security Response Center blog.
Microsoft issued an advisory last week, warning that it had detected limited attacks targeting a flaw in Windows Shell. The vulnerability affects all versions of Windows. It enables attackers to exploit malicious code when a shortcut icon is displayed. The attack can be carried out via a USB drive, remotely through network shares and WebDav or in specific document types that support embedded shortcuts, Microsoft said.
The vulnerability was discovered in June by Belarus-based antivirus vendor VirusBlokAda. The malware installs two drivers designed to make the malware undetectable, the company said.
Rahul Kashyap, a vulnerability research manager at McAfee Inc. said the flaw can be exploited relatively easily. An attacker would need to make a malicious shortcut file and then lure the user into navigating to a Windows folder or removable drive that contains the booby trapped file. If successful, the attacker could gain complete control over a vulnerable Windows computer.
McAfee and other antimalware vendors are developing signatures to detect the vulnerability. But Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab said creating generic signatures that don't create false positives is a difficult process. Microsoft may also have trouble developing an effective patch, Schouwenberg wrote on Kaspersky Lab's Securelist blog.
"There doesn't seem to be any security model associated with how Windows handles shortcuts," Schouwenberg wrote. "This whole situation reminds me a bit of vulnerabilities in the WMF format – it's another case of legacy code coming back to bite Microsoft."
Schouwenberg anticipates the vulnerability to be more broadly exploited while Microsoft works on a permanent patch.
Worm uses zero-day to target SCADA systems
Security researchers have identified Stuxnet, a worm that uses the Windows vulnerability to target Siemens SCADA system software. In a detailed analysis of Stuxnet, Symantec Corp. security researcher Liam O Murchu said a rootkit hides the malware files at the Windows kernel level. The malware is designed to update itself, check if certain antivirus applications are running, scan the network for servers and communicate with a command and control server, according to Murchu.