The bug comes from Windows improperly handling shortcut (.LNK) files executed through the shell, typically Windows Explorer. When the user launches such a shortcut through the associated icon, Windows fails to properly validate the parameters of the shortcut and malicious code in the .LNK may be executed.
The attack would typically be performed through removable drives, like USB thumb drives or CD-ROMs. It could be executed through network shares or remote WebDAV shares.
Microsoft lists two workarounds in the advisory. The first disables the display of icons for shortcuts, which will create a very wrong-looking situation in Windows Explorer. The second disables the WebDAV client service, which only affects that vector.
This is quite a serious vulnerability and Microsoft has begun their process of investigation and patch development. This is an excellent candidate for an out-of-band update, especially as we are a month away from the next scheduled Patch Tuesday and targeted attacks are already being conducted.
On the bright side, this is the sort of attack that can be found and blocked by conventional anti-malware. Several such packages, including Microsoft's already detect the attack.
The attack would typically be performed through removable drives, like USB thumb drives or CD-ROMs. It could be executed through network shares or remote WebDAV shares.
Microsoft lists two workarounds in the advisory. The first disables the display of icons for shortcuts, which will create a very wrong-looking situation in Windows Explorer. The second disables the WebDAV client service, which only affects that vector.
This is quite a serious vulnerability and Microsoft has begun their process of investigation and patch development. This is an excellent candidate for an out-of-band update, especially as we are a month away from the next scheduled Patch Tuesday and targeted attacks are already being conducted.
On the bright side, this is the sort of attack that can be found and blocked by conventional anti-malware. Several such packages, including Microsoft's already detect the attack.
0 comments:
Post a Comment