Microsoft published Security Advisory 2286198 on Friday of last week, confirming the existence of a critical vulnerability in all supported versions of Windows.
The new zero-day vulnerability is easily exploitable via USB storage devices, network shares or remote WebDAV shares. All that is required for exploitation is for the contents of the USB device to be viewed in Windows Explorer. Specially crafted shortcut (.lnk) files are allowed to execute code when the shortcut’s icon is loaded to the GUI.
An exploit targeting this vulnerability is currently in limited use and additional exploits are very likely in the coming weeks.
The shortcut vulnerability was discovered during investigation of the Stuxnet rootkit which has been used in targeted attacks aimed at Siemens SCADA systems. Such systems are used for supervisory control and data acquisition in industrial facilities such as power plants. The shortcut file used in this case is detected as Exploit:W32/WormLink.A.
The situation is now more critical because a publicly available proof of concept was posted to several exploit database sites over the weekend.
Proof of concept exploit code is now in-the-wild and F-Secure fully expects virus writers to utilize this method of attack in the near future.
Sean Sullivan, Security Advisor at F-Secure, says, “This shortcut worm is very dangerous and the seriousness of the situation will increase until Microsoft releases a fix. And because Microsoft Windows XP Service Pack 2 is no longer supported, even the fix won’t fully resolve the issue. This is a major concern as F-Secure’s research shows that SP2 is still being used by many organizations.”
F-Secure strongly recommends that companies and organizations migrate to Windows XP Service Pack 3 as soon as possible, or implement Microsoft’s suggested workarounds.
Additionally, organizations need to create or review their USB device policy. “This danger can be mitigated with best practices. If a company doesn’t have a security policy regarding USB devices, they’re at risk. Those that do have a policy should review it and make sure that it’s being followed. And this is time critical as summer vacation season is approaching,” says Sullivan.