If you have been a bit concerned about the possibility of the .lnk vulnerability hitting your machine, you are a conscientious user, and can give yourself 10 points in the overall game of computing. It shows you are paying attention to what is happening and are likely to have a machine with few problems, simply because of your diligence.

Bravo!

If, on the other hand, you also don’t like using the Microsoft idea of disabling the .lnk behavior as the equivalent of using a 4’x8′ sheet of plywood to swat a fly, you are also showing some intelligence, and enough that you should know there is a better way than the brute force method that Microsoft espouses simply to cover its butt.

A story in ComputerWorld tells of a small program, which works for the vast majority of those affected (everyone but the Windows 2000 users), from Sophos, and lets a sensible approach be used to deal with the problem, until Microsoft comes up with a solution.

The security firm Sophos released a tool on Monday that it claimed will block any attacks trying to exploit the critical unpatched vulnerability in Windows’ shortcut files.

The tool, dubbed “Sophos Windows Shortcut Exploit Protection Tool,” will protect users until Microsoft releases a permanent patch for the problem, said Chet Wisniewski, a senior security advisor at Sophos.

“The tool replaces Windows’ icon handler, so that anything that calls the handler, we’re going to intercept,” Wisniewski told Computerworld.

But Microsoft refused to condone the Sophos tool, a position it takes whenever third-party solutions to a Windows bug are introduced.

“Microsoft does not endorse third-party tools,” said Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC). “We recommend that customers apply the workaround in Security Advisory 2286198, as it helps to protect customers from all known attack vectors.”

The vulnerability is in how the Windows parses shortcuts, the small files that graphically represent links to programs and documents. Shortcuts are a key component of the Windows desktop, including the Start menu and the taskbar.

The bug was first described more than a month ago by VirusBlokAda, a little-known security firm based in Belarus. It attracted widespread attention only after security blogger Brian Krebs reported on it July 15.

A day later, Microsoft confirmed the bug and admitted that attackers were already exploiting the flaw.

Does it not seem strange that since the bug affects a current OS, and the Microsoft flagship, they would not get on the stick with this? A month seems more than enough to whip something up, especially since a third party has been able to do so.

All versions of Windows contain the vulnerability, including the preview of Windows 7 Service Pack 1 (SP1), and the recently retired-from-support Windows XP SP2 and Windows 2000.

Exploit code has been widely distributed on the Internet, and Microsoft and others have spotted several attack campaigns based on the bug.

Initial attacks using the shortcut vulnerability were aimed at major manufacturing and utility companies. Two weeks ago, Siemens alerted customers of its Simatic WinCC management software that attacks using the vulnerability were targeting computers used to manage large-scale industrial control systems, often called SCADA, for “supervisory control and data acquisition.”

Hackers gained control of computers at at least one German customer of Siemens with the shortcut-exploiting “Stuxnet” worm, the electronics giant has confirmed.

Nearly 60% of the PCs identified by security vendor Symantec that have been infected by Stuxnet are located in Iran, a statistic that’s sparked speculation that the country’s infrastructure may have been targeted for attack.

Microsoft’s advice has been to disable the displaying of shortcuts, a move many users may resist since it makes much of Windows almost unusable. The Sophos tool leaves shortcut icons untouched.

Disabling shortcuts is like Microsoft saying, “we give up!” – the bad guys have gotten us this time. Is that the response they should give? I certainly don’t think so.

Wisniewski defended Sophos’ release of the tool. “This is a reasonably unique situation in that we can put ourselves in the way of attacks,” he said. “We’re not suggesting that users not apply the Microsoft patch when it’s ready. And the tool doesn’t modify Windows or other files, so it’s not really a patch.”

The shortcut protection tool works by replacing Windows’ own icon handler, then intercepting Windows’ shortcut files — identified by the “.lnk” extension — and warning when it spots a suspicious shortcut.

“The tool looks at each shortcut to see whether it includes a code path with the vulnerable [LoadLibrary ()] call,” said Wisniewski, talking about the specific Windows call that many researchers have pinpointed as the core problem. “Then it looks to see if that’s calling an executable or .dll. If it is, the warning appears.”

Microsoft has promised to patch the shortcut parsing bug, but has not yet disclosed a timeline. The next regularly-scheduled Windows security updates are to ship in two weeks, on Aug. 10.

“Microsoft needs to fix the core issue,” echoed Wisniewski Monday. “That means they’ll have to patch ‘Shell32.dll’ itself.” Shell32.dll is a crucial Windows library file that contains numerous Windows Shell API (application programming interface) functions.

Microsoft must step carefully as it crafts a patch for the vulnerability, said Wisniewski, who added that that was the most likely reason why Microsoft had not issued a patch. “If they mess up [Shell32.dll], everyone’s machine will really be messed up,” said Wisniewski. “Their biggest challenge is testing the fix.”

Do you ever wonder why, in all of these years, why no one at Microsoft ever thought of this, and then worked to fix it? It does make it look as though their thinking and sight is rather narrow – it might be time for some new blood on the Windows 8 team, simply because the same mistakes are being made over and over. I’ve been hearing stories about Microsoft hiring the best and brightest for over 20 years. Either one of two things is happening – they are doing that, and then not listening to what the B&B have to say, or the story about the job searches is all bull. So, Microsoft, which of these is it?

Microsoft’s inability to endorse the shortcut tool notwithstanding, Sophos believes it’s a credible defense until a patch is produced.

“Hopefully, Microsoft will [soon] release a proper patch to protect against the shortcut vulnerability, and then you can simply uninstall our tool,” said Graham Cluley, a senior technology consultant at Sophos, in a post to his blog earlier Monday. “But in the meantime, this is neat. Very neat.”

The Sophos Windows Shortcut Exploit Protection Tool works on Windows XP, Vista and Windows 7, but not on Windows 2000. It can be downloaded free-of-charge from the company’s Web site.

In the mean time, we have a credible tool, and don’t have to fully cripple our machines. This is similar to the autoplay function being disabled because of possible infections from thumbdrives. How many things will users stand losing, after being used to them for years, before they start looking toward brand L{inux} or Brand U{nix} products? I almost forgot, I’m certain there are a few Apple converts because of all of these attacks become so annoying and, for many, worrisome.

§


A Cat's Life

Mad as Hell (Howard Beale-Network)

While it’s great that Sophos has an answer, we should all be “mad as hell” that Microsoft does not, and gives lame excuses why the Sophos solution should not be used.

®