Microsoft Acknowledges Windows Shell Vulnerability

Image Gallery: Windows 7 Revealed

Microsoft on Friday issued a Security Advisory stating that it is investigating limited attempts to exploit a vulnerability in the Windows Shell.

The zero-day vulnerability was disclosed last week by Belorussian antivirus company, VirusBlokAda. It takes advantage of Windows shortcut files by making them execute automatically when accessed from a USB drive via Windows Explorer.

The Stuxnet malware, which is believed to have been circulating for about a month, attempts to exploit this vulnerability.

Stuxnet "takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system," explains Microsoft on its Malware Protection Center blog. "In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction."

Microsoft says that Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 are affected.

As workarounds to mitigate the risk of compromise, Microsoft is recommending that administrators disable the display of icons for shortcuts, and disable the WebClient service.

On Sunday, proof-of-concept exploit code was posted at exploit-db.com.

According to computer researcher Frank Boldewin, the malware also targets Siemens SCADA WinCC, an industrial process control system, and its visualization components.

This is precisely the sort of system that government critical infrastructure protection initiatives aim to secure.

The sophistication of the malware's creator is also evident in the code's apparent appropriation of a digital signature from a legitimate chip maker, Taiwan's RealTek Semiconductors, to help install malicious drivers.