Home :: News & Events :: Vulnerability Outbreak Alerts

Vulnerability Report: Microsoft Windows LNK Shortcut Automatic File Execution Vulnerability

Name: Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability

CVE: CVE-2010-2568

CORE IMPACT Exploit Available?: Yes (more information below)

Dates:
Vulnerability Discovered: July 15, 2010
Core Vulnerability Alert Published: July 20, 2010
Vulnerability Alert Last Updated: August 2, 2010

Description:
Microsoft Windows is prone to a vulnerability that may allow a file to automatically run because the software fails to handle 'LNK' files properly.

An attacker may exploit this issue to execute arbitrary code. The attacker must entice a victim to view a specially crafted shortcut.

Vulnerability Impact:
An attacker could use this exploit to execute arbitrary code on the target with the privileges of the currently logged-in user.

Class: Design Error

Impact Classification: Code Execution

Remotely Exploitable: Yes

Locally Exploitable: No

Bugtraq ID: 41732 http://www.securityfocus.com/bid/41732

CVSS Scoring:
CVSS Base Score: 6.8
CVSS Impact Score: 8
Attack Range: Local, Network
Attack Complexity: Medium

Affected Systems:
Windows operating systems:
Windows XP
Windows Vista
Windows 2008
Windows 2003
Windows 7

Status with Affected Vendor:
Microsoft published the advisory 2286198 acknowledging the vulnerability: http://www.microsoft.com/technet/security/advisory/2286198.mspx

Microsoft has released a security patch that remediates this vulnerability: http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx

Exploit Information for CORE IMPACT Customers:
CORE IMPACT Pro provides three exploit modules for this vulnerability:

The first module exploits the vulnerability via a USB drive.
The second provides a typical IMPACT client-side attack via email.
The third is delivered the exploit through a web page via WebDAV.

If one of these modules is successful, the machine is vulnerable. To download the exploit modules, CORE IMPACT customers should launch the product and click on the 'Get Updates' link in the welcome screen. Modules 1 and 2 were first released on 07/20/2010, and Module 3 was first released on 07/22/2010. All three are available to current CORE IMPACT Pro customers.

Remediation
Microsoft has released a security patch that remediates this vulnerability: http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx

Credits:
This issue is being exploited in the wild with W32.Stuxnet (previously known as W32.Temphid).

Latest Press Releases

Core Security Achieves Major Milestones in 2011

Core Security Wins 2011 Global Red Herring Award

Latest In the News

Symantec Warns Users to Disable pcAnywhere

Symantec Advises Disabling Remote PC Software After Code Theft

Upcoming Webcasts

Upcoming Events

InfoSec UK

SANS 2012 Orlando

Press Contacts

Vaughn Harring
Core Security
(617) 645-4322
vharring@coresecurity.com

David Seuss
Core Security
(617) 388-7775
dseuss@coresecurity.com

Lisa Mokaba
Inkhouse
(617) 750-5939
core@inkhouse.net