NEWS FROM THE LAB - Wednesday, July 21, 2010

LNK Vulnerability: Embedded Shortcuts in Documents Posted by Sean @ 10:20 GMT

Microsoft has updated Security Advisory 2286198 (version 1.2).

It's quite evident that the folks at Microsoft are working very diligently on this issue. Our concerns have been addressed and the advisory no longer lists Windows 7 AutoPlay as a mitigation. We thank them for this clarification.

And now the bad news.

Version 1.2 of the advisory has an important new detail:

"An exploit can also be included in specific document types that support embedded shortcuts."

Microsoft Security Advisory 2286198, version 1.2

Documents — such as but not limited to Microsoft Office documents.

This really expands the potential reach of the LNK vulnerability. Depending on the ease to which documents can be utilized, we will now almost certainly see targeted attack attachments via e-mail messages.

Fortunately, Microsoft's Active Protections Program (MAPP) provides excellent technical details and so we have further improved our protection against the WormLink exploit. Our latest signatures: Exploit:W32/WormLink.B and C, are more generic and effective than previously. Kudos to Microsoft.

Let's review the workarounds listed in the advisory.

  •  Disable the displaying of icons for shortcuts
  •  Disable the WebClient service
  •  Block the download of LNK and PIF files from the Internet

Microsoft Support has a Knowledge Base Article which includes their one click "Fix it" buttons for disabling shortcut functionality.

Everyone should review this new information and evaluate it for their environment while Microsoft continues their work to develop a security update.