Microsoft has released a security advisory addressing a vulnerability in the way Windows parses shortcuts. In Advisory 2286198, issued Friday and updated Monday, the software giant said "malicious code may be executed when a specially crafted shortcut is displayed," even without any user action to run the executable. The company said it is working on a security update.
In the advisory, Microsoft said the vulnerability "is most likely to be exploited through removable drives." It added that, for systems with AutoPlay disabled, users would have to manually browse to the compromised folder in the removable drive for the vulnerability to be exploited. Windows 7 automatically disables AutoPlay functionality for removable disks.
Until a fix is issued, Microsoft suggests that icons for shortcuts be disabled, but, as some observers have noted, this is highly problematic in a visual-based interface. Another suggestion from Microsoft is disabling the WebClient service used for WebDav, which, for SharePoint users, could also be a problem.
The vulnerability affects all currently supported Windows versions. These include XP Service Pack 3, XP Pro x64 Edition Service Pack 2, Server 2003 Service Pack 2, Server 2003 x64 Edition Service Pack 2, Server 2003 with SP2 for Itanium-based Systems, Vista Service Pack 1 and Service Pack 2, Vista x64 Edition Service Pack 1 and Service Pack 2, Server 2008 for 32-bit Systems and Server 2008 for 32-bit Systems Service Pack 2, Server 2008 for x64-based Systems and Server 2008 for x64-based Systems Service Pack 2, Server 2008 for Itanium-based Systems and Server 2008 for Itanium-based Systems Service Pack 2, Windows 7 for 32-bit Systems, Windows 7 for x64-based Systems, Server 2008 R2 for x64-based Systems, and Server 2008 R2 for Itanium-based Systems.
XP Service Pack 2 and Windows 2000 are no longer supported by Microsoft, so a patch for those operating systems isn't likely.
'Major Oversight' in Windows
Chester Wisniewski of the Sophos security firm posted on his blog that he followed Microsoft's advice for a workaround by disabling the rendering of icons. But, he added, the workaround made his taskbar "nearly entirely unusable," and it "seriously degraded the usability of the Windows desktop."
He noted that it's useful to think of the attack as two pieces -- one is "a new zero-day vulnerability that could easily be adopted by any malware author," and the other is targeted for "some very specific infrastructure." Unless the user runs a power plant, water system, or similar industrial system, Wisniewski wrote, it's best to concentrate on the zero-day flaw.
Wisniewski passed on a colleague's recommendation that the best short-term fix is to disallow executables not on the C drive, or only allow execution from specific paths.
He said the problem is how shell32.dll attempts to load control-panel icons from applets. If a specially made shortcut points to a malicious file, Windows Explorer will execute it simply by browsing to the location. "Allowing executable code to load in the process of trying to retrieve an icon seems like a major oversight in the design of Windows," he observed.