A vulnerability in Microsoft Windows enables attackers to automatically execute code in shortcut files. How does...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
this attack work, and how can it be prevented?
We all use Windows shortcut files in the Control Panel, Explorer and Taskbar. Except for security professionals, many do it without a second thought. Microsoft supports the use of LNK files for fast access to executables or applications.
When Windows displays Control Panel items, it will initialize each object to provide dynamic icon functionality. A Control Panel applet will execute code when the icon is displayed in Windows.
An attacker can specify a malicious dynamic-link library (DLL) and arbitrary code and put them on a USB drive, a local or remote file system, a CD-ROM, or in other locations. A USB drive could be used to automatically load the code onto the dynamic icon in the Windows Control Panel. Viewing the location of shortcut files with Windows Explorer is sufficient to trigger the vulnerability.
Other applications that display the file icons can be used as attack vectors. The LNK files use SpecialFolderDataBlock or KnownFolderDataBlock attributes to specify the location. These files can bypass the whitelisting first implemented in the fix for this Windows vulnerability, also known as CVE-2010-2568. This bypass can be used to trick Windows into loading an arbitrary DLL file. When a victim displays maliciously crafted shortcut files, an attacker can execute arbitrary code with the privileges of the user.
Users can protect shortcut files using a three-step solution:
- block server message block (SMB) outgoing traffic;
- disable WebDAV on the client's side; and,
- block WebDAV outgoing traffic.
To stop SMB outgoing traffic, block connections on ports 139/TCP, 139/UDP, 445/TCP and 445/UDP. This will prevent machines on the local network from connecting to SMB servers.
To disable WebDAV on a Windows client, set the Startup type property for the WebClient service to Disabled. WebDAV outgoing traffic can be blocked at the network level by blocking the methods used by the WebDAV extension to HTTP.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to license Windows 10 virtual desktops
Discover how to best configure Windows security settings
Find out how code-reuse attacks bypass Windows 10 security features
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Judith Myerson
A cryptographic weakness was discovered in the Telerik web UI. Expert Judith Myerson alerts readers about this weakness and the alternative options ...continue reading
New media player vulnerabilities have been exposed that enable hackers to use subtitle files to control devices. Expert Judith Myerson explains how ...continue reading
Two critical, zero-day Foxit Reader vulnerabilities haven't been patched and pose a threat to enterprises. Judith Myerson explains the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.