Q
Problem solve Get help with specific problems with your technologies, process and projects.

How are Windows shortcut files vulnerable to attacks?

A Windows vulnerability targets shortcut files and enables hackers to automatically execute code. Expert Judith Myerson explains the flaw and how to stop it.

A vulnerability in Microsoft Windows enables attackers to automatically execute code in shortcut files. How does...

this attack work, and how can it be prevented?

We all use Windows shortcut files in the Control Panel, Explorer and Taskbar. Except for security professionals, many do it without a second thought. Microsoft supports the use of LNK files for fast access to executables or applications.

When Windows displays Control Panel items, it will initialize each object to provide dynamic icon functionality. A Control Panel applet will execute code when the icon is displayed in Windows.

An attacker can specify a malicious dynamic-link library (DLL) and arbitrary code and put them on a USB drive, a local or remote file system, a CD-ROM, or in other locations. A USB drive could be used to automatically load the code onto the dynamic icon in the Windows Control Panel. Viewing the location of shortcut files with Windows Explorer is sufficient to trigger the vulnerability.

Other applications that display the file icons can be used as attack vectors. The LNK files use SpecialFolderDataBlock or KnownFolderDataBlock attributes to specify the location. These files can bypass the whitelisting first implemented in the fix for this Windows vulnerability, also known as CVE-2010-2568. This bypass can be used to trick Windows into loading an arbitrary DLL file. When a victim displays maliciously crafted shortcut files, an attacker can execute arbitrary code with the privileges of the user.

Users can protect shortcut files using a three-step solution:

  1. block server message block (SMB) outgoing traffic;
  2. disable WebDAV on the client's side; and,
  3. block WebDAV outgoing traffic.

To stop SMB outgoing traffic, block connections on ports 139/TCP, 139/UDP, 445/TCP and 445/UDP. This will prevent machines on the local network from connecting to SMB servers.

To disable WebDAV on a Windows client, set the Startup type property for the WebClient service to Disabled. WebDAV outgoing traffic can be blocked at the network level by blocking the methods used by the WebDAV extension to HTTP.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to license Windows 10 virtual desktops

Discover how to best configure Windows security settings

Find out how code-reuse attacks bypass Windows 10 security features

This was last published in October 2017

Dig Deeper on Emerging cyberattacks and threats

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Are you worried about Windows shortcut vulnerabilities?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close