News

Windows Zero-Day Advisory Issued on USB Drives

Microsoft issued a security advisory on Friday about a Windows vulnerability associated with shortcut icons on USB drives.

Most supported Windows versions are subject to the vulnerability. The flaw even touches Service Pack 1 beta for Windows 7 and Windows Server 2008 R2, which was released last week. Consequently, some describe this USB threat as "the first zero-day" notice issued for that SP1 release.

As yet, there's no patch for the vulnerability, but Microsoft's security advisory 2286198 suggests some workarounds, including disabling shortcuts. If unaddressed, the vulnerability could enable an attacker to execute code on the system as a user. The exploit is worse if the user has administrative rights on the system, according to Microsoft.

Microsoft traces the vulnerability to a flaw in Windows Shell that incorrectly parses shortcuts, enabling malicious code to be executed. The exploit is typically triggered when users click on "specially crafted shortcut" icon located on a USB drive or removable disk drive, according to the advisory. However, it can also be triggered via "network shares or remote WebDAV shares."

Shortcuts are files that use the .LNK extension. For the exploit to work, a specially crafted .LNK file needs to be parsed by Windows Explorer. The exploit somehow uses AutoPlay to execute. AutoPlay is a Windows feature that facilitates the operation of attached devices by automatically loading driver software. However, even with AutoPlay disabled (as it is by default in Windows 7), the exploit is still possible if users browse to the root folder of the USB drive, the advisory explains.

Microsoft commented in a blog post that it has so far seen "only limited, targeted attacks on this vulnerability." The vulnerability has been associated with the Stuxnet worm, with most of the attacks occurring in Iran and Indonesia. This worm is also being spread by e-mail related to "game cheats," according to Microsoft.

Microsoft hasn't identified the threat level for this vulnerability, but software security firm Secunia rates it as "highly critical."

Microsoft likely won't issue an out-of-band fix or this zero-day exploit, according to Jason Miller, data and security team manager at Minneapolis, Minn.-based Shavlik Technologies, in a blog post. Possibly, Microsoft will wait until Aug. 10, which is the scheduled date for Microsoft's monthly security update, to issue a patch.

Miller noted that if IT pros apply Microsoft's workarounds, they should undo them prior to applying any patch.

The vulnerability is also present in Microsoft's older unsupported operating systems, such as Windows XP SP2, which lost patch support after July 13. Microsoft recommends that organizations pay for "custom support" to address security issues if they can't migrate or update an unsupported Microsoft OS.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Microsoft Gives Orgs More Power to 'Tune' AI Agents

    At its Build 2025 conference this week, Microsoft unveiled significant advancements aimed at empowering enterprises to create more sophisticated AI agents.

  • Build 2025: Microsoft Charts Wider Path for AI Agents

    At Build 2025, Microsoft unveiled its strategic vision for the future of AI agents, emphasizing the development of autonomous systems capable of performing complex tasks across various applications.

  • Microsoft to Orgs: Ditch Your Passwords for Passkeys

    May marks the first-ever "World Passkey Day," the occasion of which Microsoft marked by leaning into its vision of a passwordless future.