carloscastilla - Fotolia
A vulnerability in Microsoft Windows enables attackers to automatically execute code in shortcut files. How does this attack work, and how can it be prevented?
We all use Windows shortcut files in the Control Panel, Explorer and Taskbar. Except for security professionals, many do it without a second thought. Microsoft supports the use of LNK files for fast access to executables or applications.
When Windows displays Control Panel items, it will initialize each object to provide dynamic icon functionality. A Control Panel applet will execute code when the icon is displayed in Windows.
An attacker can specify a malicious dynamic-link library (DLL) and arbitrary code and put them on a USB drive, a local or remote file system, a CD-ROM, or in other locations. A USB drive could be used to automatically load the code onto the dynamic icon in the Windows Control Panel. Viewing the location of shortcut files with Windows Explorer is sufficient to trigger the vulnerability.
Other applications that display the file icons can be used as attack vectors. The LNK files use SpecialFolderDataBlock or KnownFolderDataBlock attributes to specify the location. These files can bypass the whitelisting first implemented in the fix for this Windows vulnerability, also known as CVE-2010-2568. This bypass can be used to trick Windows into loading an arbitrary DLL file. When a victim displays maliciously crafted shortcut files, an attacker can execute arbitrary code with the privileges of the user.
Users can protect shortcut files using a three-step solution:
- block server message block (SMB) outgoing traffic;
- disable WebDAV on the client's side; and,
- block WebDAV outgoing traffic.
To stop SMB outgoing traffic, block connections on ports 139/TCP, 139/UDP, 445/TCP and 445/UDP. This will prevent machines on the local network from connecting to SMB servers.
To disable WebDAV on a Windows client, set the Startup type property for the WebClient service to Disabled. WebDAV outgoing traffic can be blocked at the network level by blocking the methods used by the WebDAV extension to HTTP.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to license Windows 10 virtual desktops
Discover how to best configure Windows security settings
Find out how code-reuse attacks bypass Windows 10 security features
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading