Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
On Friday July 16, Microsoft contacted its MAPPs partners, of which Zscaler is a member, to inform them of a new vulnerability in the parsing of .lnk files, known as Windows Shortcut Files. The vulnerability lies in Windows Shell, which is responsible for parsing the files, and could lead to an attacker executing arbitrary code on a victim machine whenever the .lnk file is viewed with an application such as Windows Explorer. This attack vector can be exploited via USB drives, network shares, or WebDav. As of now, Microsoft has released only workarounds for this issue, a patch is not presently available.
Microsoft has gone public with this information, despite not having a patch available, as the vulnerability is presently being exploited by the Stuxnet worm. The Stuxnet worm is specifically targeting Siemens’ SCADA (supervisory control and data acquisition) software. This worm was allegedly first spotted in June by Belarusian antivirus vendor VirusBlokAda. Zscaler Labs has conducted data mining for traffic related to this worm and in doing so has uncovered command and control (C&C) servers associated with the attack. Zscaler will continue to monitor the situation and deploy additional protections as appropriate; the following is an overview of protections deployed to date:
Those wishing to learn more about the .lnk vulnerability and the Stuxnet worm are encouraged to read the following recent Zscaler labs blog post on the topic: http://research.zscaler.com/2010/07/lnk-cve-2010-2568-stuxnet-incident.html