A Windows Shell flaw for which Microsoft released a security advisory Friday could lead to widespread attacks, security experts fear.
The vulnerability attacks through Windows shortcuts, icons for which are displayed on users’ computer screens.
It can be exploited through removable drives or over computer networks. Microsoft has suggested some workarounds, but security exports point out that these have problems of their own.
The Windows Shell Flaw
In Windows 95 and later, the Windows Shell is explorer.exe, which resides in the Windows folder or in one of its subfolders, such as System32. This displays the icons on the user’s desktop, the taskbar, the Start Menu and the file browser. It launches other programs on request. For example, the shell launches Microsoft Word when a user clicks on the Word icon on his desktop screen.
The icon for an application is the link to it. It’s also known as a “shortcut.” Shortcuts are implemented as files with an .LNK extension.
Sometimes, the Windows Shell does not correctly validate specific parameters of the shortcut when trying to load it, and this is the vulnerability in the shell, Microsoft said in Security Advisory 2286198, released Friday.
Attackers who exploit the vulnerability could run arbitrary code on a victim’s system. If the user has administrative user rights, the attacker could take over the system and have full user rights, which will let him install programs; view, change or delete data; or create new accounts.
Exploiting the Flaw
The vulnerability exists in every version of Windows. It can be exploited by a worm that ESET calls “Win32/Stuxnet.”
Stuxnet uses .LNK files placed on USB drives to automatically execute malware as soon as the operating system on the user’s PC reads the files, Microsoft said.
It first injects a backdoor worm called “Win32/Stuxnet A” onto the victim’s PC. It then installs two Trojans onto the PC. One, WinNT/Stuxnet.A, hides the presence of the .LNK files. The other is WinNT/Stuxnet B. This injects formerly encrypted data blobs — files with the .tmp extension — into memory. These serve different purposes, some being .LNK files, others drivers and still others propagation files that spread the worm.
The files were signed with a Verisign digital certificate belonging to hardware manufacturer Realtek Semiconductor. This led to speculation that the certificate could have been forged or stolen.
Microsoft and Verisign have revoked the certificate with Realtek’s support.
“ESET has seen tens of thousands of encounters with this worm,” Randy Abrams, director, technical education at ESET, told TechNewsWorld. This doesn’t mean infections, as the company gets reports when the threat is successfully blocked.
The greatest number of reports has come from the United States, Iran and Russia, but “at least a dozen other countries” have also been the source of reports, Abrams said.
The threat spreads “very well” because people use USB drives to share files, Abrams warned.
“I see the potential for an uber-Conficker type worm using the .LNK vulnerability and the other propagation methods Conficker demonstrated as highly effective,” Abrams explained.
The Conficker worm, also known as “Downup,” “Downadup” and “Kido,” infected millions of government, business and home computers in more than 200 countries, and used many advanced techniques to conduct its attacks and escape detection. It has since been contained.
Security experts are concerned because the Win32/Stuxnet worm is used in targeted attacks to penetrate supervisory control and data acquisition (SCADA) systems, especially in the U.S. and Iran. SCADA systems are supervisory and monitoring systems used in industries and are part of our national critical infrastructure. U.S. security experts have been asking the federal government to tighten up controls on our SCADA systems for some time now.
Experts are particularly concerned because the worm uses a known default password that protects the database used in the Simatic WinCC SCADA system from Siemens.
Fight the Power
Microsoft has suggested some workarounds to avoid infection. One is disabling the display of icons for shortcuts by using Registry Editor. However, this can cause “serious problems” that may require users to reinstall their operating systems and users have to take this option at their own risk, Microsoft warned.
Another option is to disable the WebClient server. This blocks the most likely remote attack vector through the web Distributed Authoring and Versioning (WebDAV) client service.
However, disabling WebDAV will only prompt users for confirmation before they open arbitrary programs downloaded from the Internet. Remote attackers who successfully exploited the Shell vulnerability will still be able to cause Microsoft Outlook to run programs on the victim’s computer. Further, it will not transmit WebDAV requests and cause other problems.
“Microsoft’s suggestions work, but also remove some functionality,” Abrams said. “Fully following those suggestions will break some line-of-business applications. The mitigation techniques do not fix the underlying problem which is a flaw in how Windows handles the icons of .LNK files. A patch is needed, and should be issued for all affected operating systems, even those which are no longer supported.”
Enterprises using Microsoft SharePoint will not be able to disable the WebDAV WebClient service, Sophos security researcher Chester Wisniewski warned.
Microsoft is working on the problem, Jerry Bryant, a group manager at the software giant, told TechNewsWorld.
“Microsoft will be providing a security update for the vulnerability described in Security Advisory 2286198,” he said. “However, the timeline for release has yet to be determined.”
Microsoft is continuing to look into mitigations and workarounds, Bryant added.