Automated Workaround for Windows Shell Flaw Released

Microsoft has added an automated means to address a zero-day Windows Shell vulnerability described in a security advisory released late last week.

Currently, there is no patch for the vulnerability, which is associated with a flawed mechanism in Windows Shell that incorrectly parses shortcuts, allowing corrupt code to execute. Instead, IT pros can disable the shortcuts in Windows by implementing a workaround. They can follow the steps manually or use the newly released "Fix it" solution, which automates the workaround.

The Fix it workaround, which "disables .LNK and .PIF file functionality," can be found in this new Knowledge Base article, released Tuesday. The workaround applies to Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 environments.

Windows Shell is a key graphic interface component for the Windows start menu and welcome screen processes. It works with .LNK files to create shortcut icons enabling quick access to program files. Exploits can be unknowingly triggered when users click on "specially crafted shortcut" icons located on a removable USB drive.

The Fix it workaround "disables icons from being displayed for shortcuts and can help prevent attacks attempting to exploit this vulnerability," according to Microsoft.

'Stuxnet' Worm Connection
The Windows Shell problem is associated with "Stuxnet," a malicious worm variant. The Stuxnet family of malware has the ability propagate and infect new machines by infecting any USB drive connected to an infected OS.

Attacks were earlier reported in Iran. However, another incident has popped up, with Siemens reporting that an unidentified German company has been hit. The attack affected supervisory control and data acquisition (SCADA) software sitting on a Windows OS, according to Siemens.

Siemens issued an advisory Monday concerning two of its software products used in industrial processes, stating that "malware is currently spreading through a security breach in the Microsoft Windows operating system in connection with the database system of SIMATIC WinCC and SIMATIC PCS 7." Siemens added that it is working with Microsoft to find a solution at the operating system level.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also confirmed that the malware has attacked Siemens' software and attributed the discovery of the flaw to VirusBlokAda, a Belarus-based antivirus vendor. ICS-CERT issued an advisory (PDF) confirming that the Stuxnet worm attempts to access databases using the affected Siemens software. It's unknown to what degree the worm has generally affected control systems, according to ICS-CERT.

"There appears to be quite a bit of knowledge regarding Stuxnet," said Tyler Reguly, senior research engineer at nCircle. "We understand how it propagates, what it targets, etc. In my opinion, it's just another piece of malware, but it's scarier because it's targeting SCADA software using a Microsoft zero-day exploit."

For its part, Microsoft said that it had logged infection attempts by Stuxnet in the United States, Indonesia, India, and Iran. Security vendor Symantec is now logging about "9,000 infection attempts per day."

No Patch for Now
Reguly and other security experts, such as Jason Miller of Shavlik Technologies, don't think there will be an out-of-band patch for the flaw before next month. Microsoft will probably wait until the regular update cycle in August, Miller said in a recent blog post. Reguly suggested a delay might occur because "Microsoft still has to ensure that the patch will not break anything else and will be interoperable with other software."

Since the security advisory appeared late last week, IT experts have expected more malware variants exploiting the Windows Shell hole to crop up while Microsoft readies a patch.

Those IT organizations still using Windows XP Service Pack 2 or Windows 2000 will be out of luck should a patch be issued. Those operating systems lost security update support as of July 13. The remedy is to upgrade to a supported operating system, or, barring that, contact Microsoft for paid "custom support."

A Microsoft spokesperson did not provide the numbers, but estimated that most United States   governmental organizations have already migrated to a supported Windows OS.

"While we believe that exposure to our Federal customers is very minimal since most, if not all, have upgraded to at least XP SP3, we would advise that customers verify whether they are still running XP SP2 or earlier Windows versions and apply the advisory as noted," the Microsoft spokesperson explained via e-mail.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • interconnected cloud icons with glowing lines on a gradient blue backdrop

    Report: Cloud Certifications Bring Biggest Salary Payoff

    It pays to be conversant in cloud, according to a new study from Skillsoft The company's annual IT skills and salary survey report found that the top three certifications resulting in the highest payoffs salarywise are for skills in the cloud, specifically related to Amazon Web Services (AWS), Google Cloud, and Nutanix.

  • AI-inspired background pattern with geometric shapes and fine lines in muted blue and gray on a dark background

    IBM Releases Granite 3.0 Family of Advanced AI Models

    IBM has introduced its most advanced family of AI models to date, Granite 3.0, at its annual TechXchange event. The new models were developed to provide a combination of performance, flexibility, and autonomy that outperforms or matches similarly sized models from leading providers on a range of benchmarks.

  • landscape photo with an AI rubber stamp on top

    California AI Watermarking Bill Garners OpenAI Support

    ChatGPT creator OpenAI is backing a California bill that would require tech companies to label AI-generated content in the form of a digital "watermark." The proposed legislation, known as the "California Digital Content Provenance Standards" (AB 3211), aims to ensure transparency in digital media by identifying content created through artificial intelligence. This requirement would apply to a broad range of AI-generated material, from harmless memes to deepfakes that could be used to spread misinformation about political candidates.

  • happy woman sitting in front of computer

    Delightful Progress: Kuali's Legacy of Community and Leadership

    CEO Joel Dehlin updates us on Kuali today, and how it has thrived as a software company that succeeds in the tech marketplace while maintaining the community values envisioned in higher education years ago.