Sophos Offers Free Tool for Windows Shortcut Flaw

Sophos on Monday announced the availability of a free tool designed to help address the Windows zero-day shortcut vulnerability that Microsoft has not patched.

The Sophos Windows Shortcut Exploit Protection Tool will work with any antivirus software, running on Windows XP, Windows Vista and Windows 7. It works by validating any shortcuts that Windows tries to create. If the shortcut contains the exploit, it will be blocked, according to a blog explanation by Graham Cluley, senior technology consultant at software security firm Sophos.

The tool can be downloaded here and then uninstalled later should Microsoft release a security update for the vulnerability. IT pros can distribute the installer package using Group Policies, according to Cluley.

Cluley noted in a video that Microsoft's published workaround to the zero-day vulnerability will strip out the identities of shortcut icons on the Windows task bar. However, Sophos' tool will just let Windows create the shortcut if the exploit isn't present.

The exploit taps into a flaw in the Windows Shell component to spread malware using .LNK shortcut files. According to Cluley, the exploit is propagated on USB sticks and "if Windows tries to display the icon of an exploited shortcut file it can run the malicious code pointed to by the shortcut, without any user interaction." The exploit can take place "even if AutoPlay and AutoRun are disabled," he added.

Microsoft issued a security advisory about the vulnerability earlier this month, but the advisory just points to a "Fix it" workaround for now. Microsoft has subsequently said that new attacks exploiting this vulnerability have been associated with the Stuxnet worm. In particular, the worm has been used to attack supervisory control and data acquisition (SCADA) software systems, particularly two Windows-based solutions from Siemens.

Symantec has speculated about the motives of the attackers, noting that "this is the first publicly widespread threat that has shown a possibility of gaining control of industrial processes and placing that control in the wrong hands." The security firm suggested that one of the darker motives behind the latest attacks using the Stuxnet worm might be to shut down power facilities, or test that possibility.

Last week, Microsoft explained that two new malware families are associated with the .LNK flaw. One of them is called "Win32/Vobfus," a worm that gets its name because it is "coded in Visual Basic and (VB) and highly obfuscated." The second is a "Chymine" trojan dropper that distributes malware. Microsoft recommends having the latest antivirus definitions installed and disabling shortcuts as a workaround.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Previews Azure Bastion Service for Private VM Access

    Microsoft on Tuesday announced a preview of the Azure Bastion service, which lets a user connect to an Azure virtual machine (VM) using a private Internet connection.

  • Microsoft Deprecating Windows To Go

    Microsoft plans to put an end to its Windows To Go product in the near future, according to a Friday support article.

  • Microsoft Releases Hyper-V Server 2019 After Long Delay

    Acknowledging that the release took "way too long," Microsoft has made Hyper-V Server 2019 available for download from the Microsoft Evaluation Center page.

  • Forklift Container

    A Better Way To Upgrade Hyper-V Storage

    It's time again for Brien to perform a major storage upgrade on his Hyper-V hosts. But this time, he's taking a new approach.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.