G Data & Sophos - Free Tools for fixing Windows Shortcut Exploit (downloads)

Free tools fix a Windows Shell vulnerability that allows shortcuts to execute malicious code. The tools from G Data Software and Sophos also fix a problem in Microsoft's solution that turns icons into "broken" generic white icons. The Windows Shell vulnerability gives cybercriminals many ways to infect a PCs: http://scforum.info/index.php/topic,4366.0.html

Security firms G Data Software and Sophos have released free tools that eliminate a vulnerability in an operating-system component called the Windows Relevant Products/Services Shell for Windows XP, Windows Vista, and Windows 7. According to Microsoft, the vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed whenever the icon of a specially crafted shortcut is displayed.

Microsoft introduced an automated tool of its own on July 21 that will block any attempts to exploit the vulnerability of .LNK shortcut files: http://scforum.info/index.php/topic,4376.0.html
However, the software giant's homegrown fix replaces the graphics-based icons on the PC's Task and Start menu bars with generic white icons.

The free tool downloads from G Data and Sophos likewise block the automatic execution of malicious code but display the PC icons in their usual graphic form. "Microsoft's current workaround leaves systems almost unworkable with broken-looking icons," noted Graham Cluley, a senior technology consultant at Sophos.

Warning Users

Microsoft warned earlier this month that the shortcut vulnerability in Windows can be exploited locally through a malicious USB drive, or remotely via network Relevant Products/Services shares and WebDAV. Moreover, an exploit can be included in specific document types that support embedded shortcuts, the software giant's security Relevant Products/Services team said.

The free third-party tools from Sophos and G Data, which run alongside existing antivirus software, will intercept any shortcut files that contain the exploit and even warn users about the executable code that attempted to run. For example, the G Data tool displays safe desktop symbols in their usual form but activates a red warning icon if a malicious mechanism is detected.

Fixing the problem is important because the vulnerability gives cybercriminals a wide range of possibilities for infecting a PC, noted Ralf Benzmueller, head of G Data SecurityLabs. "They only need to make sure that a .LNK file is displayed on the computer," Benzmueller explained. "The file which the link refers to does not necessarily need to be on the computer -- it can even be on the Internet."

Enterprise Exposure

The Stuxnet and Dulkis worms, as well as the Chymin Trojan horse, have been exploiting this vulnerability to help spread and infect computer systems, Cluley said. Stuxnet made headlines recently because it targeted the infrastructure Relevant Products/Services for critical facilities such as power plants, he said.

"There's a warning for all computer users here," Cluley said. "Details of how to exploit the security hole are now published on the web, meaning it is child's play for other hackers to take advantage and create attacks."

Since this operating-system design flaw also applies to Windows Server 2003, Windows Server 2008, and Windows Server R2, IT Relevant Products/Services administrators need to take steps to ensure that networks are not vulnerable to shortcut exploits.

"In a company's IT network, for example, it is enough to save a primed and infected file on the network drive," Benzmueller explained. "Even basic software -- like word-processing programs and e-mail clients -- provide the possibility to display shortcuts. We expect that this vulnerability will be massively exploited shortly."

Download from Sophos: http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html

Download from G Data: http://www.gdatasoftware.co.uk/about-g-data/press-centre/news/news-details/article/1723-g-data-fights-back-windows-sec.html

(NF)