 |
On July 16th Microsoft published Security Adisory (2286198) concerning a vulnerability on windows systems from XP to 7. All versions are affected including the server derivates. The vulnerability exists because Windows parses shortcuts in such a way that malicious code can be executed. It is possible to load malicious software using a prepared LNK or PIF file. |
It is not required to open an infected file. Displaying the link in Windows Explorer or any other graphical file browser (e.g. Total Commander) is sufficient. It does not matter where the file is located. It can be loaded from an USB stick, a CD ROM or even a network share. Thus, the attack range of this vulnerability is extremely large.
In addition, the consequences are absolutely fatal. The system can be infiltrated by malicious code like a rootkit. Rootkits are hidden from the user and even anti-virus software. In case of the user of the infected system having administrator privileges the attacker finds a complete system open and free to use.
Microsoft did not publish a fix yet. Instead, there is a pretty basic workaround that is based on not loading the icons of LNK and PIF files.
This will lead to your desktop and start menu looking a little confusing. Nevertheless it is the most effective way to secure your system right now.
According to the Security Advisory there are two registry keys whose values have to be deleted.
[HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler] and
[HKEY_CLASSES_ROOT\piffile\shellex\IconHandler].
For everyone who does not want to work with the registry manually, Microsoft released prebuild MSIs (download here).
There is one for each case. Either delete the keys values or restore them. You have to restart your system or at least the Explorer in order for these changes to take affect.
As long as there is no patch from Microsoft you have to take the above measures in order to protect your system. The Internet Storm Center raised the threat alarm level to "yellow" for a short time to rise attention for the vulnerability. A larger attack wave must be expected.
Sources:
Microsoft Security Advisory (2286198)
Microsoft Support Fix
ISC Threat Alert Level
Thomas Bahn, Diplom-Mathematiker, IT-Spezialist & Speaker auf Fachkonferenzen
Thomas Bahn ist Mitgründer und Geschäftsführer der assono GmbH. Seit mehr als 20 Jahren berät er erfolgreich Unternehmen aus ganz Deutschland rund um das Thema Software und Digitalisierung. Insbesondere in den Bereichen HCL Notes und Domino (ehemals IBM) als auch bei aktuellen, unternehmensrelevanten KI-Themen wie Chatbots kennt er die neusten Entwicklungen und weiß, wie diese sich gewinnbringend für Unternehmen einsetzen lassen. Aufgrund seines Expertenwissens ist Thomas Bahn regelmäßiger Sprecher auf nationalen und internationalen Fachkonferenzen.
