News

Windows Zero-Day Advisory Issued on USB Drives

Microsoft issued a security advisory on Friday about a Windows vulnerability associated with shortcut icons on USB drives.

Most supported Windows versions are subject to the vulnerability. The flaw even touches Service Pack 1 beta for Windows 7 and Windows Server 2008 R2, which was released last week. Consequently, some describe this USB threat as "the first zero-day" notice issued for that SP1 release.

As yet, there's no patch for the vulnerability, but Microsoft's security advisory 2286198 suggests some workarounds, including disabling shortcuts. If unaddressed, the vulnerability could enable an attacker to execute code on the system as a user. The exploit is worse if the user has administrative rights on the system, according to Microsoft.

Microsoft traces the vulnerability to a flaw in Windows Shell that incorrectly parses shortcuts, enabling malicious code to be executed. The exploit is typically triggered when users click on "specially crafted shortcut" icon located on a USB drive or removable disk drive, according to the advisory. However, it can also be triggered via "network shares or remote WebDAV shares."

Shortcuts are files that use the .LNK extension. For the exploit to work, a specially crafted .LNK file needs to be parsed by Windows Explorer. The exploit somehow uses AutoPlay to execute. AutoPlay is a Windows feature that facilitates the operation of attached devices by automatically loading driver software. However, even with AutoPlay disabled (as it is by default in Windows 7), the exploit is still possible if users browse to the root folder of the USB drive, the advisory explains.

Microsoft commented in a blog post that it has so far seen "only limited, targeted attacks on this vulnerability." The vulnerability has been associated with the Stuxnet worm, with most of the attacks occurring in Iran and Indonesia. This worm is also being spread by e-mail related to "game cheats," according to Microsoft.

Microsoft hasn't identified the threat level for this vulnerability, but software security firm Secunia rates it as "highly critical."

Microsoft likely won't issue an out-of-band fix or this zero-day exploit, according to Jason Miller, data and security team manager at Minneapolis, Minn.-based Shavlik Technologies, in a blog post. Possibly, Microsoft will wait until Aug. 10, which is the scheduled date for Microsoft's monthly security update, to issue a patch.

Miller noted that if IT pros apply Microsoft's workarounds, they should undo them prior to applying any patch.

The vulnerability is also present in Microsoft's older unsupported operating systems, such as Windows XP SP2, which lost patch support after July 13. Microsoft recommends that organizations pay for "custom support" to address security issues if they can't migrate or update an unsupported Microsoft OS.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.