Microsoft is to release an out-of-band patch for the Windows shortcut vulnerability tomorrow morning.
Due to be released at 10pm PDT, 5am tomorrow morning BST, the update will address the vulnerability discussed in Security Advisory 2286198. The update will address the critical LNK vulnerability that applies to all versions of the Windows operating system, from Windows XP SP3 to Windows 7.
Christopher Budd, senior security response communications manager at Microsoft, said: “We are releasing the bulletin as we've completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers.
“Additionally, we're able to confirm that, in the past few days, we've seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out-of-band is the best thing to do to help protect our customers.”
Holly Stewart, a senior program manager with the Microsoft Malware Protection Center (MMPC), said that it and other Microsoft Active Protection Program partners have been keeping a close watch on the use of .LNK files exploiting this vulnerability.
Stewart said: “As with many new attack techniques, copycat attackers can act quickly to integrate new techniques. Although there have been multiple families that have picked up this vector, one in particular caught our attention this week– a family named Sality.
“Sality is a highly virulent strain. It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security and then download other malware. It is also a very large family—one of the most prevalent families this year. After the inclusion of the .LNK vector, the numbers of machines seeing attack attempts combining malicious .LNKs and Sality.AT soon surpassed the numbers we saw with Stuxnet. We know that it is only a matter of time before more families pick up the technique.”
The Sality strain has been responsible for around 8,000 computer infections a day. Stewart said that even though they do not represent the number of actual infections, these attack attempts indicate when threats are becoming more widespread.
Wolfgang Kandek, CTO of Qualys, said: “Windows 2000 and XP SP2 users will not be covered and are now in a predicament that will become increasingly urgent. Attacks will continue to become more prevalent and their defensive options are limited.
“Microsoft's workaround in Advisory KB2286198 has a serious impact on the usability of the system as desktop icons are all replaced by standard generic representations and navigation is hampered. The best option for XP SP2 users is to upgrade to SP3 as soon as possible, Windows 2000 users need to migrate to a new OS altogether.
“Primary attack vectors for the LNK vulnerability are USB sticks and shared drives, an attack depends on a specially crafted LNK file and a custom DLL to function. Remote attacks through email or websites are theoretically possible, but require multiple steps and user interaction. Nevertheless disabling SMB and WebDAV protocols in the outbound ruleset of internet facing firewalls is a measure that provides additional protection against the remote attack vector.”