Just to recap
Computerworld - Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives.
The bug admission is the first that affects Windows XP Service Pack 2 (SP2) since Microsoft retired the edition from support, researchers said. When Microsoft does fix the flaw, it will not be providing a patch for machines still running XP SP2.
In a security advisory, Microsoft confirmed what other researchers had been saying for almost a month: Hackers have been exploiting a bug in Windows "shortcut" files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.
"In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware," Dave Forstrom, a director in Microsoft's Trustworthy Computing group, said in a post Friday to a company blog. Stuxnet is a clan of malware that includes a Trojan horse that downloads further attack code, including a rootkit that hides evidence of the attack.
Most people didn't seem to concerned because they weren't inserting removable media into their machine. As it turns out there has been some speculation that a machine could also be compromised using this vulnerability via the icons you get while browsing to different websites.
Microsoft said ""An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location," the company said in the advisory. "When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked."
On the security now podcast Steve Gibson said
The act of displaying the icon of the link files executes the malicious code in that new machine. It's regarded as not requiring any specific user action. So in this particular case it's being considered a worm. And something like 9,000 instances of this a day is now being seen in the wild. The point is that everyone who recognizes how pervasive this can be is expecting this to be a big problem. And Microsoft in their most recent update acknowledged something that HD Moore was first quoted as saying. He has apparently figured out how to get favicons to do this.
Leo: Ugh. So websites would do it, then.
Steve: Yes. And so Microsoft has acknowledged that not only displaying these .LNK file icons in Windows Explorer, but now in Office documents, any Office documents are also vulnerable, including Outlook, which is to say email. So receiving malicious email containing one of these can compromise your system. And they also acknowledge websites can do it. You can now have a malicious website that will display, that will leverage this through the defect in the shell. And I'm not sure if it's all browsers. Certainly IE because Microsoft has acknowledged that. Depending upon where the display code is, I would imagine this may be cross-browser vulnerable also. We'll know more certainly a week from now.
The problem is that there isn't anything clearly - there's no real good solution for this. Microsoft has posted a Fix it which makes some changes to the registry and also shows what manual changes can be made. The problem is that the fix that is required, until we actually get the problem repaired, is that all of your link, all of your shortcuts stop being displayed, and you get sort of the generic white rectangle.
Just thought I would give everyone the heads up.