Experts predict extensive attacks of Windows zero-day

Threat levels jump, but Microsoft not ready to say when it will patch shortcut bug

Security organizations today raised Internet threat levels to warn users that they expect widespread attacks using exploits of a just-acknowledged critical bug in all versions of Windows.

The Internet Storm Center (ISC) pushed its Infocon threat indicator to "Yellow," a rare move, while Symantec also bumped up the status of its ThreatCon barometer to "Elevated."

Today's shift by ISC was the first Yellow since July 2009, when the group alerted users of a vulnerability in Office Web Components , a set of ActiveX controls for publishing Microsoft Office content to the Web and for displaying that content in Internet Explorer (IE).

"The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch," said Lenny Zeltser, an ISC security analyst, as he explained the higher threat level . "Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time."

Last Friday, Microsoft confirmed that attackers can use a malicious shortcut file, identified by the ".lnk" extension, to automatically execute their malware by getting users to view the contents of a folder containing such a shortcut. Malware can also automatically execute on many systems when a USB drive is plugged into the PC.

All versions of Windows, including the just-released beta of Windows 7 Service Pack 1 (SP1), as well as the recently retired Windows XP SP2 and Windows 2000, contain the bug.

Many of the attacks spotted so far have been aimed at major manufacturing and utility companies. Last week, Siemens alerted customers of its Simatic WinCC management software that attacks using the vulnerability were targeting computers used to manage large-scale industrial control systems, often called SCADA, for "supervisory control and data acquisition."

Symantec also boosted its ThreatCon indicator from the usual Level 1 to Level 2, dubbed "Elevated." Like the ISC, Symantec said it made the move because of the advisory Microsoft issued Friday and the expectation of increased attacks.

"The Symantec DeepSight Team expects this issue to be incorporated by attackers to carry out remote drive-by download attacks in the wild," said Symantec on its ThreatCon page .

HD Moore, the chief security officer of Rapid7 and the creator of the well-known Metasploit hacking toolkit, said that it was unlikely the vulnerability would be used in classic drive-by attacks, as Symantec predicted. "The vulnerability is serious, but it's not as bad as a drive-by," Moore said, talking about the type of attacks that compromise computers when their users simply browse to a malicious site.

Companies will remain the most lucrative targets for exploits of the Windows shortcut bug, Moore bet, while consumers will likely be relatively safe. One reason: Newer browsers , such as Internet Explorer 8 (IE8), Firefox and Chrome, will shield consumers. IE6, however, which is still widely used in some businesses, does not.

Moore said he was already working on an exploit module for Metasploit, but said it would take time "to make a module really useful" for penetration testing. He's currently exploring a pair of ways to weaponize the publicly-posted proof-of-concept code.

Although Microsoft has confirmed the flaw and offered up workarounds -- including one that requires users to cripple shortcuts -- it had no new advice Monday or a timeline for a fix.

However, Jerry Bryant, a general manager with the Microsoft Security Response Center (MSRC), said that the company would definitely patch the problem. "Some of the discussions we've seen in the last couple of days state that we are not going to provide an update for this issue," Bryant said in an e-mail reply to questions. "This is an issue that we will be providing a security update for."

But unless Microsoft makes a dramatic policy change -- and backtracks on statements it gave as recently as last month -- patches will not be issued for Windows XP Service Pack 2 (SP2), the edition that was retired from all support July 13.

And that will be a problem, said Moore. "Maybe the Zeroday patch guys will put something out for XP SP2," he said, referring to a group of researchers who have infrequently released unauthorized patches for Windows vulnerabilities before Microsoft wraps up its work.

The group, which goes by the name ZERT (Zeroday Emergency Response Team) last shipped a patch in April 2007.

Microsoft's next regularly-scheduled security updates are slated to ship Aug. 10. Microsoft does issue emergency updates at times, however. So far this year, the company has released two "out-of-band" updates, both for IE.

Join the PC World newsletter!

Error: Please check your email address.

Tags symantecMicrosoftsecurityWindowssoftwareoperating systems

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?