A vulnerability in Microsoft Windows enables attackers to automatically execute code in shortcut files. How does...
this attack work, and how can it be prevented?
We all use Windows shortcut files in the Control Panel, Explorer and Taskbar. Except for security professionals, many do it without a second thought. Microsoft supports the use of LNK files for fast access to executables or applications.
When Windows displays Control Panel items, it will initialize each object to provide dynamic icon functionality. A Control Panel applet will execute code when the icon is displayed in Windows.
An attacker can specify a malicious dynamic-link library (DLL) and arbitrary code and put them on a USB drive, a local or remote file system, a CD-ROM, or in other locations. A USB drive could be used to automatically load the code onto the dynamic icon in the Windows Control Panel. Viewing the location of shortcut files with Windows Explorer is sufficient to trigger the vulnerability.
Other applications that display the file icons can be used as attack vectors. The LNK files use SpecialFolderDataBlock or KnownFolderDataBlock attributes to specify the location. These files can bypass the whitelisting first implemented in the fix for this Windows vulnerability, also known as CVE-2010-2568. This bypass can be used to trick Windows into loading an arbitrary DLL file. When a victim displays maliciously crafted shortcut files, an attacker can execute arbitrary code with the privileges of the user.
Users can protect shortcut files using a three-step solution:
- block server message block (SMB) outgoing traffic;
- disable WebDAV on the client's side; and,
- block WebDAV outgoing traffic.
To stop SMB outgoing traffic, block connections on ports 139/TCP, 139/UDP, 445/TCP and 445/UDP. This will prevent machines on the local network from connecting to SMB servers.
To disable WebDAV on a Windows client, set the Startup type property for the WebClient service to Disabled. WebDAV outgoing traffic can be blocked at the network level by blocking the methods used by the WebDAV extension to HTTP.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to license Windows 10 virtual desktops
Discover how to best configure Windows security settings
Find out how code-reuse attacks bypass Windows 10 security features
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Judith Myerson
Air-gapped computers subject to PowerHammer attack: Proof-of-concept attack enables data exfiltration through control of current flow over power ... Continue Reading
Bastille researchers created the SirenJack proof of concept to show how a vulnerability could put San Francisco's emergency warning system at risk. ... Continue Reading
A QR code vulnerability was recently discovered in the Apple iOS 11 camera app. Learn how an attacker could exploit it and how to avoid the issue ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.