Yellow alert over Windows shortcut flaw

'Wide-scale exploitation is only a matter of time'


Windows Shortcut's zero-day attack code has gone public.

The development increases the risk that the attack vector, already used by the highly sophisticated Stuxnet Trojan to attack Scada control systems, will be applied against a wider range of vulnerable systems.

All versions of Windows are potentially vulnerable to the exploit.

Just viewing the contents of an infected USB stick is enough to get pwned, even on systems where Windows Autoplay is disabled. Maliciously-crafted Windows shortcut (.lnk) files might also to be able to push malicious code through other attack routes left open by the vulnerability, such as Windows shares.

The SANS Institute's Internet Storm Centre has responded to the heightened threat by moving onto yellow alert status for the first time in years. "We believe wide-scale exploitation is only a matter of time," writes ISC handler Lenny Zeltser.

"The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far."

Microsoft has acknowledged the problem - and published workarounds designed to guard against attack - ahead of a possible patch. Going by previous form, and given the seriousness of the flaw and the amount of platforms affected, Microsoft's security gnomes will have their work cut out to release a fix as part of August's Patch Tuesday much less any sooner.

The Siemens SIMATIC WinCC SCADA systems specially targeted by the Stuxnet Trojan use hard-coded admin username / password combinations that users are told not to change. Details of these passwords has been available on underground hacker forums for at least two years, Wired reports.

Worse still, changing Siemens' hard-coded password will crash vulnerable SCADA systems, IDG reports. Siemens is in the process of developing guidelines for customers on how to mitigate against the risk of possible attack.

An overview of the vulnerability and its implications can be found in a blog posting by Rik Ferguson of Trend Micro here. ®

Similar topics

Broader topics


Other stories you might like

  • Techniques to fool AI with hidden triggers are outpacing defenses – study
    Here's how to catch up with those poisoning machine-learning systems

    The increasingly wide use of deep neural networks (DNNs) for such computer vision tasks as facial recognition, medical imaging, object detection, and autonomous driving is going to, if not already, catch the attention of cybercriminals.

    DNNs have become foundational to deep learning and to the larger field of artificial intelligence (AI). They're a multi-layered class of machine learning algorithms that essentially try to mimic how a human brain works and are becoming more popular in developing modern applications.

    That use is expected to increase rapidly in the coming years. According to analysts with Emergen Research, the worldwide market for DNN technology will grow from $1.26bn in 2019 to $5.98bn by 2027, with demand in such industries as healthcare, banking, financial services and insurance surging.

    Continue reading
  • ‘Precursor malware’ infection may be sign you're about to get ransomware, says startup
    As more and more biz pays up to restore data, we're told

    Ransomware is among the most feared of the myriad cyberthreats circulating today, putting critical data at risk and costing some enterprises tens of millions of dollars in damage and ransoms paid. However, ransomware doesn't occur in a vacuum, according to security startup Lumu Technologies.

    A ransomware infection is usually preceded by what Lumu founder and CEO Ricardo Villadiego calls "precursor malware," essentially reconnaissance malicious code that has been around for a while and which lays the groundwork for the full ransomware campaign to come. Find and remediate that precursor malware and a company can ward off the ransomware attack is the theory.

    "The moment you see your network – and by network, I mean the network defined the modern times, whatever you have on premises, whatever is out in the clouds, whatever you have with your remote users – when you see any assets from your network contacting an adversarial infrastructure, eliminate that contact because that puts you in your zone of maximum resistance to attacks," Villadiego told The Register.

    Continue reading
  • China thrilled it captured already-leaked NSA cyber-weapon
    Not now with your mischief, Beijing

    China claims it has obtained malware used by the NSA to steal files, monitor and redirect network traffic, and remotely control computers to spy on foreign targets.

    The software nasty, dubbed NOPEN, is built to commandeer selected Unix and Linux systems, according to Chinese Communist Party tabloid Global Times, which today cited a report it got exclusively from China's National Computer Virus Emergency Response Center.

    Trouble is, NOPEN was among the files publicly leaked in 2016 by the Shadow Brokers. If you can recall back that far, the Shadow Brokers stole and dumped online malware developed by the NSA's Equation Group.

    Continue reading

Biting the hand that feeds IT © 1998–2022