Microsoft released Security Advisory 2286198 late last week to address a newly-discovered zero-day flaw that can be exploited simply by clicking a shortcut icon. However, that original guidance is being questioned by security researchers, and exploit code is now available, making a bad situation even worse.
According to the Microsoft advisory, “The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed.” An attack can exploit the flaw and compromise the system or run malicious code without any additional user intervention–even circumventing UAC, and Windows 7 security controls.
Microsoft explains “This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the affected folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.”
Microsoft is working–ostensibly with some sense of urgency–on a patch to address this flaw. Keep in mind, though, that Windows 2000 and Windows XP SP2 are no longer supported platforms, so don’t expect a patch for those operating systems from Microsoft.
The workaround guidance from Microsoft is to disable the display of icons for all shortcuts, as well as to disable the WebClient service to prevent exploit via WebDAV. The problem with these workarounds is they severely handicap Windows operating systems, and–for organizations that rely on SharePoint–may significantly impact productivity.
Chet Wisniewski, a Sophos security researcher, demonstrates in a blog post what the Windows system looks like with the display of icons disabled. Wisniewski describes an alternate temporary fix “My advice is that if you have a controlled Windows deployment you will likely know where your users are executing software that is approved. In this case you can simply create a GPO that defines where software is allowed to run and if that does not include network shares this will provide you an equivalent level of protection without the nastiness of making all your icons turn into white sheets.”
The standard security measures of blocking unauthorized traffic with a firewall, and running up to date antimalware protection on the Windows desktops still applies as well. These measures do offer some degree of protection, but are not currently sufficient in and of themselves to guard against this threat.
I expect that we will see an out-of-band update from Microsoft to address this security concern over the next couple of weeks before the next Patch Tuesday.