Windows Zero-Day Advisory Issued on USB Drives

Microsoft issued a security advisory on Friday about a Windows vulnerability associated with shortcut icons on USB drives.

Most supported Windows versions are subject to the vulnerability. The flaw even touches Service Pack 1 beta for Windows 7 and Windows Server 2008 R2, which was released last week. Consequently, some describe this USB threat as "the first zero-day" notice issued for that SP1 release.

As yet, there's no patch for the vulnerability, but Microsoft's security advisory 2286198 suggests some workarounds, including disabling shortcuts. If unaddressed, the vulnerability could enable an attacker to execute code on the system as a user. The exploit is worse if the user has administrative rights on the system, according to Microsoft.

Microsoft traces the vulnerability to a flaw in Windows Shell that incorrectly parses shortcuts, enabling malicious code to be executed. The exploit is typically triggered when users click on "specially crafted shortcut" icon located on a USB drive or removable disk drive, according to the advisory. However, it can also be triggered via "network shares or remote WebDAV shares."

Shortcuts are files that use the .LNK extension. For the exploit to work, a specially crafted .LNK file needs to be parsed by Windows Explorer. The exploit somehow uses AutoPlay to execute. AutoPlay is a Windows feature that facilitates the operation of attached devices by automatically loading driver software. However, even with AutoPlay disabled (as it is by default in Windows 7), the exploit is still possible if users browse to the root folder of the USB drive, the advisory explains.

Microsoft commented in a blog post that it has so far seen "only limited, targeted attacks on this vulnerability." The vulnerability has been associated with the Stuxnet worm, with most of the attacks occurring in Iran and Indonesia. This worm is also being spread by e-mail related to "game cheats," according to Microsoft.

Microsoft hasn't identified the threat level for this vulnerability, but software security firm Secunia rates it as "highly critical."

Microsoft likely won't issue an out-of-band fix or this zero-day exploit, according to Jason Miller, data and security team manager at Minneapolis, Minn.-based Shavlik Technologies, in a blog post. Possibly, Microsoft will wait until Aug. 10, which is the scheduled date for Microsoft's monthly security update, to issue a patch.

Miller noted that if IT pros apply Microsoft's workarounds, they should undo them prior to applying any patch.

The vulnerability is also present in Microsoft's older unsupported operating systems, such as Windows XP SP2, which lost patch support after July 13. Microsoft recommends that organizations pay for "custom support" to address security issues if they can't migrate or update an unsupported Microsoft OS.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Outlines upcoming 'Teams Phone with Calling Plan'

    Organizations wanting to use Microsoft Teams for phone calls will have some new option, starting in January.

  • Microsoft Test Drives Azure Edge Zones with AT&T Support

    Microsoft is collaborating with AT&T to improve application performance for enterprises by extending Azure capabilities "to the operator's 5G network edge."

  • Windows 10's 'November 2021 Update' Released

    Windows 10 version 21H2 is now generally available, marking the start of a new update release cadence for the Windows 10 OS.

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.