According to some security researchers, Microsoft’s recent security advisory regarding a vulnerability in Windows is misleading. The security researchers say that, contrary to what Microsoft claims, users do not need to click on malicious icons in order to trigger malware exploiting the flaw. One thing upon which all sides agree: the security vulnerability already has been the subject of attacks.
The vulnerability lies in the Windows Shell component. While Microsoft asserted in its advisory on July 16, 2010, that the result of the vulnerability is that “malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut,” security researchers are stressing that it is not necessary for users to click on an icon.
“All you do is open a device/network share/WebDav point that has the shortcut, and boom! It runs whatever you tell it to,” said Sophos Senior Security Advisor Chester Wisniewski. “It is downright simple to exploit. Any criminal with the most basic of skills can take advantage of this flaw. We have not seen much activity in the wild yet, but now that a proof of concept is posted it is likely to become a major issue as the week rolls on.”
During the weekend of July 17, a security researcher going by the moniker Ivanlef0u published a working exploit for the flaw, which was already being used to infect computers via USB drives with malware known as Stuxnet.
Sean Sullivan, security advisor for North American Labs at F-Secure, wrote on the company’s blog that F-Secure’s analysis indicated clicking on an icon was not required, and simply browsing the removable drive was enough to trigger malware.
Read the full eWeek article on the Microsoft Security Flaw.