Microsoft Acknowledges Windows Shell Vulnerability

The zero-day vulnerability appears to be designed for industrial espionage.

Thomas Claburn, Editor at Large, Enterprise Mobility

July 19, 2010

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Image Gallery: Windows 7 Revealed

Image Gallery: Windows 7 Revealed


(click image for larger view)
Image Gallery: Windows 7 Revealed

Microsoft on Friday issued a Security Advisory stating that it is investigating limited attempts to exploit a vulnerability in the Windows Shell.

The zero-day vulnerability was disclosed last week by Belorussian antivirus company, VirusBlokAda. It takes advantage of Windows shortcut files by making them execute automatically when accessed from a USB drive via Windows Explorer.

The Stuxnet malware, which is believed to have been circulating for about a month, attempts to exploit this vulnerability.

Stuxnet "takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system," explains Microsoft on its Malware Protection Center blog. "In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction."

Microsoft says that Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 are affected.

As workarounds to mitigate the risk of compromise, Microsoft is recommending that administrators disable the display of icons for shortcuts, and disable the WebClient service.

On Sunday, proof-of-concept exploit code was posted at exploit-db.com.

According to computer researcher Frank Boldewin, the malware also targets Siemens SCADA WinCC, an industrial process control system, and its visualization components.

This is precisely the sort of system that government critical infrastructure protection initiatives aim to secure.

The sophistication of the malware's creator is also evident in the code's apparent appropriation of a digital signature from a legitimate chip maker, Taiwan's RealTek Semiconductors, to help install malicious drivers.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights