Windows Zero-Day Advisory Issued on USB Drives

Microsoft issued a security advisory on Friday about a Windows vulnerability associated with shortcut icons on USB drives.

Most supported Windows versions are subject to the vulnerability. The flaw even touches Service Pack 1 beta for Windows 7 and Windows Server 2008 R2, which was released last week. Consequently, some describe this USB threat as "the first zero-day" notice issued for that SP1 release.

As yet, there's no patch for the vulnerability, but Microsoft's security advisory 2286198 suggests some workarounds, including disabling shortcuts. If unaddressed, the vulnerability could enable an attacker to execute code on the system as a user. The exploit is worse if the user has administrative rights on the system, according to Microsoft.

Microsoft traces the vulnerability to a flaw in Windows Shell that incorrectly parses shortcuts, enabling malicious code to be executed. The exploit is typically triggered when users click on "specially crafted shortcut" icon located on a USB drive or removable disk drive, according to the advisory. However, it can also be triggered via "network shares or remote WebDAV shares."

Shortcuts are files that use the .LNK extension. For the exploit to work, a specially crafted .LNK file needs to be parsed by Windows Explorer. The exploit somehow uses AutoPlay to execute. AutoPlay is a Windows feature that facilitates the operation of attached devices by automatically loading driver software. However, even with AutoPlay disabled (as it is by default in Windows 7), the exploit is still possible if users browse to the root folder of the USB drive, the advisory explains.

Microsoft commented in a blog post that it has so far seen "only limited, targeted attacks on this vulnerability." The vulnerability has been associated with the Stuxnet worm, with most of the attacks occurring in Iran and Indonesia. This worm is also being spread by e-mail related to "game cheats," according to Microsoft.

Microsoft hasn't identified the threat level for this vulnerability, but software security firm Secunia rates it as "highly critical."

Microsoft likely won't issue an out-of-band fix or this zero-day exploit, according to Jason Miller, data and security team manager at Minneapolis, Minn.-based Shavlik Technologies, in a blog post. Possibly, Microsoft will wait until Aug. 10, which is the scheduled date for Microsoft's monthly security update, to issue a patch.

Miller noted that if IT pros apply Microsoft's workarounds, they should undo them prior to applying any patch.

The vulnerability is also present in Microsoft's older unsupported operating systems, such as Windows XP SP2, which lost patch support after July 13. Microsoft recommends that organizations pay for "custom support" to address security issues if they can't migrate or update an unsupported Microsoft OS.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft Sets September Launch for Purview Data Governance

    Microsoft's AI-powered Purview solution to address governance and security challenges is set to become generally available on Sept. 1.

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • End of the Road for Kaspersky in the United States

    Kaspersky on Monday said it is shuttering its U.S. operations, just days before a nationwide ban on sales of its security software was set to take effect.