Microsoft Shortcut (LNK) Vulnerability
(MS10-046, 2286198, CVE-2010-2568)
Vulnerability
A critical zero-day .LNK (shortcut) vulnerability in Microsoft Windows that is being actively exploited in the wild by the “Stuxnet” worm and “Sality” malware family prompted Microsoft to issue an emergency patch 17 days after public disclosure of the vulnerability. A remote attacker may exploit this vulnerability to take complete control of the affected system.
Details
Windows includes shortcuts (.LNK files), which are aliases that permit access to other files or applications without having to navigate to the files. The Windows Shell fails to correctly parse parameters of the .LNK files, allowing malicious code to be executed when Windows attempts to display the icon of a specially crafted shortcut in Windows Explorer (or any other application that can display application shortcuts). The exploit can be distributed via removable media such as USB flash drives and CD-ROMs, as well as network shares and remote WebDAV shares. Microsoft released an out-of-band security update on August 2, 2010 that addresses this issue. Details about the update can be found in the Microsoft Security Advisory and Bulletin, linked above.
Affected Products
This vulnerability exists in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7.
Solution
Check Point IPS-1, IPS Software Blade and NGX SmartDefense provide immediate network protection in the latest IPS Update by detecting and blocking the transferring of suspicious .LNK files over CIFS. For more information, see CPAI-2010-221.
Published July 19, 2010
Last Update August 3, 2010