Windows Zero-Day Advisory Issued on USB Drives

Microsoft issued a security advisory Friday about a Windows vulnerability associated with shortcut icons on USB drives.

Most supported Windows versions are subject to the vulnerability. The flaw even touches Service Pack 1 beta for Windows 7 and Windows Server 2008 R2, which was released last week. Consequently, some described this USB threat as "the first zero-day" notice issued for that SP1 release.

As yet, there's no patch for the vulnerability, but Microsoft's security advisory 2286198 suggested some workarounds, including disabling shortcuts. If unaddressed, the vulnerability could enable an attacker to execute code on the system as a user. The exploit is worse if the user has administrative rights on the system, according to Microsoft.

Microsoft traced the vulnerability to a flaw in Windows Shell that incorrectly parses shortcuts, enabling malicious code to be executed. The exploit is typically triggered when users click on "specially crafted shortcut" icon located on a USB drive or removable disk drive, according to the advisory. However, it can also be triggered via "network shares or remote WebDAV shares."

Shortcuts are files that use the .LNK extension. For the exploit to work, a specially crafted .LNK file needs to be parsed by Windows Explorer. The exploit somehow uses AutoPlay to execute. AutoPlay is a Windows feature that facilitates the operation of attached devices by automatically loading driver software. However, even with AutoPlay disabled (as it is by default in Windows 7), the exploit is still possible if users browse to the root folder of the USB drive, the advisory explained.

Microsoft commented in a blog post that it has so far seen "only limited, targeted attacks on this vulnerability." The vulnerability has been associated with the Stuxnet worm, with most of the attacks occurring in Iran and Indonesia. This worm is also being spread by e-mail related to "game cheats," according to Microsoft.

Microsoft hasn't identified the threat level for this vulnerability, but software security firm Secunia rated it as "highly critical."

Microsoft likely won't issue an out-of-band fix or this zero-day exploit, according to Jason Miller, data and security team manager at Minneapolis, MN-based Shavlik Technologies, in a blog post. Possibly, Microsoft will wait until Aug. 10, which is the scheduled date for Microsoft's monthly security update, to issue a patch.

Miller noted that if IT pros apply Microsoft's workarounds, they should undo them prior to applying any patch.

The vulnerability is also present in Microsoft's older,  unsupported operating systems, such as Windows XP SP2, which lost patch support after July 13. Microsoft recommended that organizations pay for "custom support" to address security issues if they can't migrate or update an unsupported Microsoft OS.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • The AI Show

    Register for Free to Attend the World's Greatest Show for All Things AI in EDU

    The AI Show @ ASU+GSV, held April 5–7, 2025, at the San Diego Convention Center, is a free event designed to help educators, students, and parents navigate AI's role in education. Featuring hands-on workshops, AI-powered networking, live demos from 125+ EdTech exhibitors, and keynote speakers like Colin Kaepernick and Stevie Van Zandt, the event offers practical insights into AI-driven teaching, learning, and career opportunities. Attendees will gain actionable strategies to integrate AI into classrooms while exploring innovations that promote equity, accessibility, and student success.

  • laptop displaying a red padlock icon sits on a wooden desk with a digital network interface background

    Reports Point to Domain Controllers as Prime Ransomware Targets

    A recent report from Microsoft reinforces warns of the critical role Active Directory (AD) domain controllers play in large-scale ransomware attacks, aligning with U.S. government advisories on the persistent threat of AD compromise.

  • laptop displaying a glowing digital brain and data charts sits on a metal shelf in a well-lit server room with organized network cables and active servers

    Cisco Unveils AI-First Approach to IT Operations

    At its recent Cisco Live 2025 event, Cisco introduced AgenticOps, a transformative approach to IT operations that integrates advanced AI capabilities to enhance efficiency and collaboration across network, security, and application domains.

  • educators seated at a table with a laptop and tablet, against a backdrop of muted geometric shapes

    HMH Forms Educator Council to Inform AI Tool Development

    Adaptive learning company HMH has established an AI Educator Council that brings together teachers, instructional coaches and leaders from school district across the country to help shape its AI solutions.