Automated Workaround for Windows Shell Flaw Released

• By Jabulani Leffall
• 07/22/10

Microsoft has added an automated means to address a zero-day Windows Shell vulnerability described in a security advisory released late last week.

Currently, there is no patch for the vulnerability, which is associated with a flawed mechanism in Windows Shell that incorrectly parses shortcuts, allowing corrupt code to execute. Instead, IT pros can disable the shortcuts in Windows by implementing a workaround. They can follow the steps manually or use the newly released "Fix it" solution, which automates the workaround.

The Fix it workaround, which "disables .LNK and .PIF file functionality," can be found in this new Knowledge Base article, released Tuesday. The workaround applies to Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 environments.

Windows Shell is a key graphic interface component for the Windows start menu and welcome screen processes. It works with .LNK files to create shortcut icons enabling quick access to program files. Exploits can be unknowingly triggered when users click on "specially crafted shortcut" icons located on a removable USB drive.

The Fix it workaround "disables icons from being displayed for shortcuts and can help prevent attacks attempting to exploit this vulnerability," according to Microsoft.

'Stuxnet' Worm Connection
The Windows Shell problem is associated with "Stuxnet," a malicious worm variant. The Stuxnet family of malware has the ability propagate and infect new machines by infecting any USB drive connected to an infected OS.

Attacks were earlier reported in Iran. However, another incident has popped up, with Siemens reporting that an unidentified German company has been hit. The attack affected supervisory control and data acquisition (SCADA) software sitting on a Windows OS, according to Siemens.

Siemens issued an advisory Monday concerning two of its software products used in industrial processes, stating that "malware is currently spreading through a security breach in the Microsoft Windows operating system in connection with the database system of SIMATIC WinCC and SIMATIC PCS 7." Siemens added that it is working with Microsoft to find a solution at the operating system level.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also confirmed that the malware has attacked Siemens' software and attributed the discovery of the flaw to VirusBlokAda, a Belarus-based antivirus vendor. ICS-CERT issued an advisory (PDF) confirming that the Stuxnet worm attempts to access databases using the affected Siemens software. It's unknown to what degree the worm has generally affected control systems, according to ICS-CERT.

"There appears to be quite a bit of knowledge regarding Stuxnet," said Tyler Reguly, senior research engineer at nCircle. "We understand how it propagates, what it targets, etc. In my opinion, it's just another piece of malware, but it's scarier because it's targeting SCADA software using a Microsoft zero-day exploit."

For its part, Microsoft said that it had logged infection attempts by Stuxnet in the United States, Indonesia, India, and Iran. Security vendor Symantec is now logging about "9,000 infection attempts per day."

No Patch for Now
Reguly and other security experts, such as Jason Miller of Shavlik Technologies, don't think there will be an out-of-band patch for the flaw before next month. Microsoft will probably wait until the regular update cycle in August, Miller said in a recent blog post. Reguly suggested a delay might occur because "Microsoft still has to ensure that the patch will not break anything else and will be interoperable with other software."

Since the security advisory appeared late last week, IT experts have expected more malware variants exploiting the Windows Shell hole to crop up while Microsoft readies a patch.

Those IT organizations still using Windows XP Service Pack 2 or Windows 2000 will be out of luck should a patch be issued. Those operating systems lost security update support as of July 13. The remedy is to upgrade to a supported operating system, or, barring that, contact Microsoft for paid "custom support."

A Microsoft spokesperson did not provide the numbers, but estimated that most United States   governmental organizations have already migrated to a supported Windows OS.

"While we believe that exposure to our Federal customers is very minimal since most, if not all, have upgraded to at least XP SP3, we would advise that customers verify whether they are still running XP SP2 or earlier Windows versions and apply the advisory as noted," the Microsoft spokesperson explained via e-mail.