Microsoft confirms 'nasty' Windows zero-day bug

But it won't patch the vulnerability for Windows XP SP2 or Windows 2000

Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives.

The bug admission is the first that affects Windows XP Service Pack 2 (SP2) since Microsoft retired the edition from support , researchers said. When Microsoft does fix the flaw, it will not be providing a patch for machines still running XP SP2.

In a security advisory , Microsoft confirmed what other researchers had been saying for almost a month: Hackers have been exploiting a bug in Windows "shortcut" files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.

"In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware," Dave Forstrom, a director in Microsoft's Trustworthy Computing group, said in a post Friday to a company blog . Stuxnet is a clan of malware that includes a Trojan horse that downloads further attack code, including a rootkit that hides evidence of the attack.

Forstrom characterized the threat as "limited, targeted attacks," but the Microsoft group responsible for crafting antivirus signatures said it had tracked 6,000 attempts to infect Windows PCs as of July 15.

On Friday, Siemens alerted customers of its Simatic WinCC management software that attacks using the Windows vulnerability were targeting computers used to manage large-scale industrial control systems used by major manufacturing and utility companies.

The vulnerability was first mentioned on June 17 in an alert issued by VirusBlokAda , a little-known security firm based in Belarus. Other security organizations, including U.K.-based Sophos and SANS Institute's Internet Storm Center , picked up on the threat Friday. Security blogger Brian Krebs , formerly with the Washington Post, reported on it Thursday.

According to Microsoft, Windows fails to correctly parse shortcut files, identified by the ".lnk" extension. The flaw has been exploited most frequently using USB flash drives. By crafting a malicious .lnk file, hackers can hijack a Windows PC with little user interaction: All that's necessary is that the user views the contents of the USB drive with a file manager like Windows Explorer.

Chester Wisniewski, a senior security advisory with Sophos, called the threat "nasty," and said his tests showed that the exploit works even when AutoRun and AutoPlay -- two functions that have previously been used by attackers to commandeer PCs using infected flash drives -- are disabled. The rootkit also bypasses all security mechanisms in Windows, including the User Account Control (UAC) prompts in Vista and Windows 7 , said Wisniewski in a blog entry Friday.

Attacks can also be launched without using USB drives, Microsoft and Wisniewski both noted. "Affected shortcuts can also be distributed over network shares or remote WebDAV shares," said Microsoft's advisory.

"[That makes] a very bad situation worse," said Wisniewski.

Microsoft did not set a timeline for patching the zero-day vulnerability; its next Patch Tuesday is not until Aug. 10.

For now, Microsoft said users could block attacks by disabling the displaying of shortcuts, and turning off the WebClient service. Both moves require editing the Windows registry, a chore most people avoid for fear of crippling their computers. Disabling shortcut files also will make it more difficult for users to launch programs or open documents.

That advice is all the help that those still running Windows XP SP2, the service pack that was retired from all support last Tuesday, will get from Microsoft.

"Noticeably absent from [Microsoft's list of affected software] are Windows 2000 and Windows XP SP2 as they are no longer supported," said Wisniewski. "They are, however, definitely still vulnerable." Microsoft also retired all editions of Windows 2000 from support last week.

Wolfgang Kandek, the chief technology officer of Qualys, echoed Wisniewski's concerns about XP SP2 and Windows 2000 going patchless. "We assume the attack works against both of them and attackers will surely take advantage of this security hole ," Kandek said Saturday.

Microsoft said that all still-supported versions of Windows, including Windows XP SP3, Vista, Server 2003, Windows 7, Server 2008 and Server 2008 R2, contain the bug. The betas of Windows 7 SP1 and Server 2008 R2 SP1, which the company released last week, are also at risk.

Windows XP SP2 users must upgrade to XP SP3 to receive a patch for the shortcut flaw when it eventually ships.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftoperating systemssoftwareWindows

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?