Critical Windows-LNK-Vulnerability

by Marcus Ley,
assono GmbH, Standort Kiel,

windows.PNG On July 16th Microsoft published Security Adisory (2286198) concerning a vulnerability on windows systems from XP to 7. All versions are affected including the server derivates. The vulnerability exists because Windows parses shortcuts in such a way that malicious code can be executed. It is possible to load malicious software using a prepared LNK or PIF file.

It is not required to open an infected file. Displaying the link in Windows Explorer or any other graphical file browser (e.g. Total Commander) is sufficient. It does not matter where the file is located. It can be loaded from an USB stick, a CD ROM or even a network share. Thus, the attack range of this vulnerability is extremely large.


In addition, the consequences are absolutely fatal. The system can be infiltrated by malicious code like a rootkit. Rootkits are hidden from the user and even anti-virus software. In case of the user of the infected system having administrator privileges the attacker finds a complete system open and free to use.

Microsoft did not publish a fix yet. Instead, there is a pretty basic workaround that is based on not loading the icons of LNK and PIF files.
This will lead to your desktop and start menu looking a little confusing. Nevertheless it is the most effective way to secure your system right now.

According to the Security Advisory there are two registry keys whose values have to be deleted.
[HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler] and
[HKEY_CLASSES_ROOT\piffile\shellex\IconHandler].

For everyone who does not want to work with the registry manually, Microsoft released prebuild MSIs (download here).
There is one for each case. Either delete the keys values or restore them. You have to restart your system or at least the Explorer in order for these changes to take affect.

As long as there is no patch from Microsoft you have to take the above measures in order to protect your system. The Internet Storm Center raised the threat alarm level to "yellow" for a short time to rise attention for the vulnerability. A larger attack wave must be expected.


Sources:
Microsoft Security Advisory (2286198)
Microsoft Support Fix
ISC Threat Alert Level

Technical article Administration

Sie haben Fragen zu diesem Artikel? Kontaktieren Sie uns gerne: blog@assono.de

Do you want an individual solution? Contact us

More interesting entries

Any questions? Contact us.

If you want to know more about our offers, you can contact us at any time. There are several ways to contact us for a non-binding first consultation.

We don’t sell your data. 100% guaranteed. See: Privacy Policy
assono GmbH

Location Kiel (headquarters)
assono GmbH
Lise-Meitner-Straße 1–7
24223 Schwentinental

Location Hamburg
assono GmbH
Bornkampsweg 58
22761 Hamburg

Phone numbers:
Human resources department: +49 4307 900 407
Marketing department: +49 4307 900 402

E-Mail adresses:
contact@assono.de
bewerbung@assono.de