Microsoft Announces Out of Band Patch for Shortcut Vulnerability
July 31, 2010
Update August 02, 2010: Out of Band Update Released
If you follow network security news, you will likely have heard about the release of a vulnerability that exploits the way Windows handles shortcut files. Due to the way this vulnerability is currently being exploited, Microsoft has announced a patch that will be released on August 2, 2010.
This speaks to the seriousness of this exploit, as Microsoft typically releases updates on a set schedule, making this an Out-of-Band Path.
The .lnk file vulnerability affects most supported versions of Microsoft Windows, including Windows Vista, Windows XP, Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, and Windows 7. The exploit uses the lnk file, which is a shortcut file or desktop icon, to run malicious code and has already been seen used on USB attacks.
However, it has also been seen being exploited online. On the Microsoft Malware Protection Blog, they discuss the Stuxnet LNK Vulnerability, as well as several other pieces of Malware, including Sality, Vobfus, and Chymine, which have already taken advantage of this delivery method.
Importance of Upgrades and Why Automatic Updates Aren’t Always Bad
Windows Update has dramatically improved since XP, making it much easier to check which updates are available and install. Despite the improved user interface, it is still not uncommon to see clients who do not have it to update automatically and do not ever update it. It is also common for them to avoid the “Shutdown and Install Updates” option, which can look foreign. However, this vulnerability is the perfect example of why it is so important to update your operating system.
Now, on my personal computer, I always have updates set to manual. This allows me to control which updates are installed, making it possible to avoid certain ones, like the malicious software checker or unrelated stuff, as well as prioritizing when they are installed.
For someone who is sort of technical, it can be easy to forget that putting this type of responsibly on the average user is asking a little too much. As a result, I feel that setting everything to automatically update is the safest route for non-technical users. I typically explain this when dropping off the computer, but for the majority of my users this is the best option.
Even still, many will ignore the “Shutdown and Install Updates” option, which is why it is always important to create a dialog about updates, especially when doing a virus removal.
On their security blog, which is linked above, Microsoft said the Stuxnet Malware “…is known to infect other files (making full removal after infection challenging).”
Anyone that does computer repair can tell you that this is not unique of Stuxnet. In many cases, it is easier and much more effective to simply reinstall Windows, rather than trying to track down and remove each piece of Malware.
However, by regularly updating windows and running a sensible anti-virus, many of these problems can be prevented. With that said, I feel the users browsing habits are equally important, if not more so.