Microsoft acknowledged the flaw in a security advisory Friday, while offering a workaround, but not a patch. Microsoft updated the advisory on Monday with a short statement that “Microsoft is currently working to develop a security update for Windows to address this vulnerability.”
Microsoft kills security updates, support for Windows 2000, XP Service Pack 2
Microsoft recently allowed one vulnerability affecting an older version of Office to go unpatched, but since the latest exploit affects all versions of Windows it would be highly unlikely for Microsoft to not issue a permanent fix.
Microsoft did not say whether it will wait until the next regularly scheduled Patch Tuesday, Aug. 10, to issue the patch or whether it will do so earlier than that. Time may be of the essence, as attacks have already been reported and a working exploit was published by a security researcher, perhaps ensuring that more attacks will occur.
The new vulnerability affects Windows Shell, the Windows graphical user interface, and allows attackers to hack systems using malicious shortcut files. The vulnerability could be exploited remotely, but is more likely to be exploited using removable drives, such as USB sticks, according to Microsoft. The vulnerability exists because Windows incorrectly parses shortcuts, allowing the execution of malicious code.
“An attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary,” Microsoft says. “When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker's choice on the victim system. An attacker could also set up a remote network share, and place the malicious components on this share. When the user browses the share, Windows will attempt to load the icon of the shortcut file, and the malicious binary may be invoked.”
Microsoft offered two workarounds, including one that disables icons from being displayed for shortcuts, and another that disables the WebClient service, blocking a possible remote attack vector.
These workarounds were described as “highly impractical for most environments” by Chester Wisniewski, a security researcher at Sophos.