::: Welcome to DrayTek MyVigor Website - http://myvigor.draytek.com :::

Microsoft Windows automatically executes code specified in shortcut files

D-SWAT

  Microsoft Windows supports the use of shortcut or LNK files. A LNK file is a reference to a local file. Clicking on a LNK file has essentially the same outcome as clicking on the file that is specified as the shortcut target.

Per Microsoft Security Advisory (2286198):
  The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.

  "Microsoft Windows fails to safely obtain icons for LNK files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing dynamic icon functionality. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of an LNK file, an attacker can specify a malicious DLL that is to be processed within the context of the Windows Control Panel, which will result in arbitrary code execution. The specified code may reside on a USB drive, local or remote filesystem, a CD-ROM, or other locations. Viewing the location of a LNK file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive, such as a USB thumb drive, is connected. Other applications that display file icons can be used as an attack vector for this vulnerability as well," US-CERT described.

This vulnerability is being exploited in the wild to spread malware that targets control systems. Exploit code for this vulnerability is publicly available.

Solution:

Until updates are available, Microsoft urges users to use the following workarounds:

Disable the displaying of icons for shortcuts
      1. Click Start, click Run, type Regedit in the Open box, and then click OK.
      2. Locate and then click the following registry key:
          HKEY_CLASSES_ROOTlnkfileshellexIconHandler
      3. Click the File menu and select Export.
      4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save.
          Note This will create a backup of this registry key in the My Documents folder by default.
      5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
      6. Restart explorer.exe or restart the computer.

Disable the WebClient service
      1. Click Start, click Run, type Services.msc and then click OK.
      2. Right-click WebClient service and select Properties.
      3. Change the Startup type to Disabled. If the service is running, click Stop.
      4. Click OK and exit the management application.

For more details, please see the Microsoft security advisory 2286198.

References:

  http://www.microsoft.com/technet/security/advisory/2286198.mspx
  http://www.kb.cert.org/vuls/id/940193

The information from Draytek Corp.

About DrayTek

DrayTek Corp., founded in 1997, is a global provider of comprehensive network security, remote access and VoIP solutions for residential/small office and Small and Medium Enterprises(SME) use. To meet the needs of customers for quality and cost-effectiveness, DrayTek, with technologies integrated with real-time Anti-Virus/Anti-Intrusion system, VPN, VoIP and xDSL broadband access, has successfully delivered total network protection worldwide. For more information, please visit the company's website at http://www.draytek.com.

Press Contact:
DrayTek Marketing Dept.
press@draytek.com