(2010-08-02) Attack of the killer shortcuts (From outer Redmond)

I know. Its a week too early for the monthly Microsoft patches but taxes, death and zero day exploits wait for nobody. Today its the third one that is lurking.

Microsoft will release a bulletin with an associated security patch in the evening. (Update: it's now available as MS10-046) This security patch fixes all supported operating systems.

Supported means that if youre using Windows XP Service Pack 2 and lower or Windows 2003 Service Pack 1 and lower, youre out of luck. If you use any version of Windows 2000 youre in even more problem, since the whole operating system is considered obsolete. This is important to understand, since the vulnerability affects all Windows operating systems from 2000 up to and including Windows 7.

In short: when you open a folder containing a shortcut pointing to a malicious file, you automatically "get your computer hacked".

The base problem has to do with the icon associated with a shortcut. A shortcut, you say? Yes, the normal shortcut file with its .lnk extension. It is in reality called a shell link, but most people know it as the nifty function they use to create a link to a file from their desktop. Normally when you create a shortcut, the icon for it is, if present, taken from the file that the shortcut leads to. You can off course pick your own, custom icon.

The Windows shell does not check that the icon is a proper image before using it, which can be used execute code through malformed code posing as an icon. The malicious code resides in the file the shortcut points to, so the exploit code is likely to be an executable file and a shortcut file pointing to it. The bad news here is that just opening a folder with an evil shortcut inside it in Windows Explorer is enough to run the code. This is because most file listing dialog boxes and Windows Explorer itself display the associated icon of a shortcut. And those icons are automatically loaded when you open the folder.

Malicious shortcuts can be put on a USB-drive and used to attack a Windows PC with a logged in user. This attack works well with network drives and can even work by fooling a user to surf to a malicious site.

Please note that you only have to display the shortcut in Windows Explorer or any other application that tries to load the icon to be at risk.

Servers are less of problem here since no sane administrator would use the server as a workstation. At least I hope so. Citrix servers pose a bigger problem. Hopefully most Citrix servers disallow users from doing potentially dangerous things like surfing to the Internet or opening Windows explorer. But, the common file dialog box can also display icons, so you could probably get hurt by using the Open files function and browsing to a folder containing a malicious shortcut.

Clients are at a much higher risk, since browsing folders is a very common task for most users.

The official bulletin from Microsoft:

The official advisory from Microsoft:

ISC Sans:

Tags: Microsoft Security, Out of band, MS10-046, KB2286198, zero day exploit
Posted: 2010-08-02 by Erik Zalitis
Changed: 2010-08-03 by Erik Zalitis

News archive