News

Sophos Offers Free Tool for Windows Shortcut Flaw

• By Kurt Mackie
• 07/27/2010

Sophos on Monday announced the availability of a free tool designed to help address the Windows zero-day shortcut vulnerability that Microsoft has not patched.

The Sophos Windows Shortcut Exploit Protection Tool will work with any antivirus software, running on Windows XP, Windows Vista and Windows 7. It works by validating any shortcuts that Windows tries to create. If the shortcut contains the exploit, it will be blocked, according to a blog explanation by Graham Cluley, senior technology consultant at software security firm Sophos.

The tool can be downloaded here and then uninstalled later should Microsoft release a security update for the vulnerability. IT pros can distribute the installer package using Group Policies, according to Cluley.

Cluley noted in a video that Microsoft's published workaround to the zero-day vulnerability will strip out the identities of shortcut icons on the Windows task bar. However, Sophos' tool will just let Windows create the shortcut if the exploit isn't present.

The exploit taps into a flaw in the Windows Shell component to spread malware using .LNK shortcut files. According to Cluley, the exploit is propagated on USB sticks and "if Windows tries to display the icon of an exploited shortcut file it can run the malicious code pointed to by the shortcut, without any user interaction." The exploit can take place "even if AutoPlay and AutoRun are disabled," he added.

Microsoft issued a security advisory about the vulnerability earlier this month, but the advisory just points to a "Fix it" workaround for now. Microsoft has subsequently said that new attacks exploiting this vulnerability have been associated with the Stuxnet worm. In particular, the worm has been used to attack supervisory control and data acquisition (SCADA) software systems, particularly two Windows-based solutions from Siemens.

Symantec has speculated about the motives of the attackers, noting that "this is the first publicly widespread threat that has shown a possibility of gaining control of industrial processes and placing that control in the wrong hands." The security firm suggested that one of the darker motives behind the latest attacks using the Stuxnet worm might be to shut down power facilities, or test that possibility.

Last week, Microsoft explained that two new malware families are associated with the .LNK flaw. One of them is called "Win32/Vobfus," a worm that gets its name because it is "coded in Visual Basic and (VB) and highly obfuscated." The second is a "Chymine" trojan dropper that distributes malware. Microsoft recommends having the latest antivirus definitions installed and disabling shortcuts as a workaround.