Microsoft this week released an automated online tool to counter a recently-revealed zero-day vulnerability in the Windows shell. This vulnerability affects all modern Windows versions from Windows XP through 7, including Server versions, and will almost certainly be exploited by hackers before a formal fix is rolled out via Windows Update.
"Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows," the company notes in a security advisory. "The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts."
The vulnerability in question was first revealed by security researchers about a month ago. The first was likely VirusBlokAda, an anti-virus company based in Belarus, which reported on the flaw on June 17. Last week, Microsoft confirmed the findings and provided information about the vulnerability and some workarounds.
This week, the software giant issued an automated FixIt tool on its support web site. Using this tool, users can apply a workaround that changes all Windows shortcut icons–including those in the Start Menu and taskbar–into plain white icons that all look the same. This isn't ideal from a usability standpoint, of course, but it will prevent any exploits. An actual fix is expected in the weeks ahead, possibly by August 10, when the software giant delivers its next regularly-schedule set of security patches. My guess is that Microsoft will try to patch this flaw earlier rather than later, due to increased chatter about impending attacks.
While few Windows users are going to be thrilled with Microsoft's workaround, the vulnerability is in fact pretty serious. In order to exploit the flaw, hackers would simply need to distribute a Windows shortcut (*.lnk) that has been specially written to deliver malware. If the user just views a folder with this shortcut file inside, their PC could be compromised, Microsoft says.