UPDATE: Should you be worried about the Windows "LNK" vulnerability?

UPDATE: Should you be worried about the Windows "LNK" vulnerability?

Summary: I'm getting a lot of emails about the recently discovered LNK exploit which makes nefarious use of the way Microsoft parses links and shortcut icons. Is it a big deal? Should you be worried? Should you just switch off your PC, unplug it and start using an abacus (or Mac? ... or Linux?)?

SHARE:

I'm getting a lot of emails about the recently discovered LNK exploit which makes nefarious use of the way Microsoft parses links and shortcut icons. Is it a big deal? Should you be worried? Should you just switch off your PC, unplug it and start using an abacus (or Mac? ... or Linux?)?

... breathe ... breathe ... oh, and DON'T PANIC!

First, some information as released by Microsoft.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.

Here's a description of the vulnerability

What causes this threat?  When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut.

In other words, a design flaw.

This vulnerability is present in 32-bit and 64-bit flavors of Windows XP, Server 2003, Vista, Server 2008, Windows 7 (including beta Service Pack 1) and Server 2008 R2 (including beta Service Pack 1). As you'd expect, Mac and Linux are unaffected.

Microsoft is working on an update, but as present there's no timeline for when a patch will be released.

While attacks using this do seem to be sophisticated, they are at present very limited in nature. Looks like someone crafted this attack for a specific job. The good news from that is that this vulnerability isn't in wide circulation. So while it could be loaded onto a USB flash drive or CD, or even leveraged remotely via network shares and WebDAV, the chances of you being affected by this vulnerability is as close to zero as to be zero.

On top of that, by now most of the top antivirus providers will have updated their signature files in order to be able to detect and defend against this nasty.

Also, for those of you who might be ultra paranoid, Microsoft has published workarounds which include stripping all icons away from shortcuts (something which I think will have a massive negative effect of productivity, to WebDAV client services (check out the Workarounds section of Microsoft advisory KB228698). For 99.9% of users out there, this should be unnecessary (especially if you run up-to-date antivirus). You can also chose to block LNK and PIF files at your borders if you have a firewall that accepts rules, which will provide protection from remote attacks.

For those wanting to know more, WebSense has a technical analysis here.

So, should you be worried? No.

[UPDATE: So, should you be worried ... ? Well, a little. These attacks have spread over the past few days, but still remain relatively low. However, if you are concerned, of feel that your antivirus software doesn't offer protection, it is advisable that you disable WebDAV client services, jsut to be safe.]

Topics: Software, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

57 comments
Log in or register to join the discussion
  • There is an A bomb in Times Square

    Could it explode? Yes. But should you be worried? Definitely not! You do not go there except on weekends and Christmas? And I am sure by now our most competent boys in blue would have poured some water on the bomb so it does not overheat and explode.
    kirovs@...
    • RE: Should you be worried about the Windows

      @itkonlYou sir are a thief! Anyone who takes over someone else's sitel like this is stealing. What you are doing is not what this site is intended for. Not only that, but since you are stealing this property from this website, it tells me that you are dishonest. Therefor, I would NEVER buy anything from you. You have already proven you are a CROOK!!! xbox180
      jeroldo
  • Not worried, however...

    I am glad I am informed. I'd rather know about it now than have it kept secret until a patch is available. At least then I have a fighting chance to protect myself and others for whom I am responsible.
    Michael Kelly
  • Cue Dietrich...

    "The world is coming to an end if you don't switch to Linux NOW! Linux is the ONLY software that CAN and WILL save your soul from the evil empire!" Blah blah blah..

    Good info Adrian, Thanks.. I can rest easy.
    Wolfie2K3
    • Thanks for filling in Wolfie!

      @Wolfie2K3 <br>Semper Fi
      Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: Should you be worried about the Windows

      @Wolfie2K3 I heard that since the mid-90's. I have yet to see a Linux PC in any home but mine (and a at a few friends? working in IT).
      mtifo@...
      • Linux in the home...

        @mtifo@... "I [have] heard that since the mid-90's. I have yet to see a Linux PC in any home but mine (and a at a few friends working in IT)."

        I too have been working with Linux on and off since the mid-1990s, and there is good reason for this lack of penetration of the home market, quite aside from Microsoft's constant assaults on the Linux community (Linspire and other distros they've directly attacked, et. al). The fact that far too much hardware doesn't have downloadable drivers that just work is a huge minus to non-technically-minded people (i.e.: typical computer users)

        I'm a computer technician, and I've yet to get my RTL8192SE-VA2 wifi card to work in either 32-bit or 64-bit Linux Mint 9 (which, since it's based on the Ubuntu codebase, is of huge concern). I've tried four versions of the driver, and compiling has been quick, but it hasn't worked, even though I'm following the instructions to the letter. That sort of problem is something the masses simply can't (or won't) bother with, and I can't say I blame them.
        Raymond Danner
      • Linux in the home

        @mtifo@... I have over a dozen home users of Linux I service. Most of them got frustrated with windows getting gunked up over and over when the children lay hands on it.

        A few got a conscience and switched when I explained Microsoft licensing to them. (ie why you are having trouble installing XP with your brother-in-law's disk and getting it validated)
        pgit
      • Check any laptop with a "quick boot" environment

        @mtifo@ and @Raymond Danner@ ... Maybe you don't consider this a PC in the home -- but a lot of laptops nowadays are shipping with "quick boots" built in -- e.g. HP laptops now have Splashtop in there, standard. Boots in 2 - 3 seconds, and you're using a Linux distro for mail, web, skype, music, video, etc.
        daboochmeister
      • RE: Should you be worried about the Windows

        @daboochmeister:<br><br>I see some problems with those "quick boot" environments:<br><br>-The one on my new netbook has icons that are way too abstract for most people to understand. The UI might win an art award, but is not user friendly.<br><br>-The dark theme on mine is questionable for every day use.<br><br>-Most important: It's about as clamped down as you can get. There's no readily available way to upgrade it, and no way to add apps that might better fit your needs. If you don't like the built-in apps, you might as well turn it off.<br><br>Despite having a Linux base, it's not very open.<br><br>Not being able to upgrade easily is a big security concern, as we all know that for best security you want to keep things up to date.
        CobraA1
      • Most won't know its Linux and wouldn't care

        @daboochmeister<br>Splashtop takes 17s to load on my Vaio P Series compared to Win 7 at 35s. Hardly instant-on, and hardly worth the time saved when its so restricted compared to a real OS. If I want 'instant-on', I just run Win 7 in sleep and it starts in 3s, and still lasts all day with intermittent use (as I have noticed most who use their iPods do) on one battery.<br><br><br>The thing is that such black box OSs are hardly going to give Linux brand recognition and are only as valid as long as the computer lasts, if they haven't been ditched much earlier because they didn't save enough time to bother with.

        I didn't know Splashtop was Linux, as it could have been dedicated browser app/OS. The original P Series I had, had a different Linux 'instant-on' regime that proved just as slow to start up, so it got blown away with Vista when I upgraded it to Win 7.
        Patanjali
    • narrow minded

      @Wolfie2K3

      Yes, we should stand firm against these obsessed fanatics full of prejudgment against good quality software. Incredible that people are so narrow minded.

      On the contrary, we know that the universe will not collapse, but still the earth may stop turning or at least the world as we know will cease to exist if we don't pick, out of a few 100 possibility's, the product of that Redmond company.

      Some people may think that is sufficient to use it in two places, for our administration at the office where our employer put it on our computer and on our home computer where we had to buy it anyway when the thing was bought. But more is needed. People should not underestimate the vital importance to use it nowhere. Only so our world can survive.

      For this we happily can count on a great company and moral reference like MS that was ready to licensing its great Win XP OS for just a few dollars on Netbooks, just to protect us against the dangers of that open OS.

      What can we do anyway with that "open" OS. And do you ever hear users of MS products complaining that Linux is dominating the world of supercomputing, and is so strong in many other area's?
      bezoeker
    • RE: Should you be worried about the Windows

      @CobraA1

      IMPORTANT !!!
      I think it is important to correct this potentially dangerous claim about a bootdisk:

      "Not being able to upgrade easily is a big security concern, as we all know that for best security you want to keep things up to date."

      If you boot from a bootdisk and then go directly to your homebanking site, you will be at least 10 times more save than if you use your hard-disk based computer that you normally use to visit the Internet. Even while that bootdisk does not have the latest version and patches for every soft on it.

      It is very improbable that your system would get infected while visiting your homebanksite. To be infected before that malware has to be inserted before you burn the CD. At this moment that risk is very improbable.

      Follow this (dutch) link to find out how the criminals proceed, http://www.tijd.be/nieuws/ondernemingen_financien/De_kraak_van_de_eeuw-_uw_onlinebankrekening.8942619-3095.art?highlight=internet%20criminelen or read any other information about the subject.
      bezoeker
  • RE: Should you be worried about the Windows

    Nope not worried at all. This vulnerability is so limited in scope it would be extremely hard to exploit. Microsoft will be issuing a fix soon enough which will make this whole thing non-existent. No need to even discuss it any further.
    Loverock Davidson
    • RE: Should you be worried about the Windows

      @Loverock Davidson
      ROFL! All is well. You can eat cake instead of bread. Not worried, not worried, not worried....
      And I am glad at least one person knows the scope. Could you enlighten us Loverock? What tools did you use? You know you can make money by selling those to MS or Symantec?
      kirovs@...
    • RE: Should you be worried about the Windows

      @Loverock Davidson - You are as dangerous as the people that make these malwares, trying to smooth over anything that makes your beloved Microsoft look less than pefect. Be objective at least occasionally and people might take you seriously.

      This design flaw could execute any program, so assuming that others know about it, which I'm sure is true, there will be new payloads besides the original Siemens specific one. The fact that AV sigs now cover the original is pretty meaningless.

      http://blog.didierstevens.com/programs/ariad/

      Read very very carefully before installing.
      dev/null
    • RE: Should you be worried about the Windows

      @Loverock Davidson - Dude, you have to be a Linux or Mac user playing at being a "koolaid drinking" Microsoft supporter. <br><br>Seriously, nobody can be this stupid/arrogant in real life (except maybe some conspicuous Linux advocates), give it up.<br><br>ZDNet, please please please, institute a "block user" ability? I beg you!!!!
      PollyProteus
      • You are new ZDNet readers, are you?

        @PollyProteus
        Anyone who has been here for any length of time knows that LD is all tongue-in-cheek.
        Patanjali
  • Read this

    Much better article. See who is worried, perhaps this will give you some perspective.
    http://www.computerworld.com/s/article/9179358/Experts_predict_extensive_attacks_of_Windows_zero_day
    kirovs@...
    • Summary of that article

      @kirovs@...

      Key points from that article are:

      "Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time."

      As well as :

      The Internet Storm Center (ISC) pushed its Infocon threat indicator to "Yellow," a rare move, while Symantec also bumped up the status of its ThreatCon barometer to "Elevated." Today's shift by ISC was the first Yellow since July 2009...."

      So yes this could be a big deal if it's adapted before MS can create and send out a patch!

      Not a lot anyone can do other that wait and see which happens first!
      DevJonny