Zscaler Security Advisories
Microsoft .lnk ‘shortcut’ vulnerability exploited by Worm targeting SCADA Systems
Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
Affected Software
- Windows XP
- Windows Vista
- Windows 7
- Windows Server 2003
- Windows Server 2008
On Friday July 16, Microsoft contacted its MAPPs partners, of which Zscaler is a member, to inform them of a new vulnerability in the parsing of .lnk files, known as Windows Shortcut Files. The vulnerability lies in Windows Shell, which is responsible for parsing the files, and could lead to an attacker executing arbitrary code on a victim machine whenever the .lnk file is viewed with an application such as Windows Explorer. This attack vector can be exploited via USB drives, network shares, or WebDav. As of now, Microsoft has released only workarounds for this issue, a patch is not presently available.
Microsoft has gone public with this information, despite not having a patch available, as the vulnerability is presently being exploited by the Stuxnet worm. The Stuxnet worm is specifically targeting Siemens’ SCADA (supervisory control and data acquisition) software. This worm was allegedly first spotted in June by Belarusian antivirus vendor VirusBlokAda. Zscaler Labs has conducted data mining for traffic related to this worm and in doing so has uncovered command and control (C&C) servers associated with the attack. Zscaler will continue to monitor the situation and deploy additional protections as appropriate; the following is an overview of protections deployed to date:
- Blocks are in place for known C&C servers associated with the Stuxnet worm
- Protections are in place to identify C&C traffic associated with the Stuxnet worm at new locations
- In-line anti-virus signatures are in place and tested against malware related to the Stuxnet worm
- Protections have been deployed to detect WebDAV based exploitation of the .lnk vulnerability
Those wishing to learn more about the .lnk vulnerability and the Stuxnet worm are encouraged to read the following recent Zscaler labs blog post on the topic: http://research.zscaler.com/2010/07/lnk-cve-2010-2568-stuxnet-incident.html