Microsoft Isn't Fixing 8-Year-Old Shortcut Exploit Abused For Spying

Trend Micro uncovered an eight-year-long spying campaign exploiting a Windows vulnerability involving malicious .LNK shortcut files, which attackers padded with whitespace to conceal commands. Despite being reported to Microsoft in 2023, the company considers it a UI issue rather than a security risk and has not prioritized a fix. The Register reports: The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads. Ordinarily, the shortcut's target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend's Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.

Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher. "This is one of many bugs that the attackers are using, but this is one that is not patched and that's why we reported it as a zero day," Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register. "We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines."

After poring over malicious .LNK samples, the security shop said it found the vast majority of these files were from state-sponsored attackers (around 70 percent), used for espionage or information theft, with another 20 percent going after financial gain. Among the state-sponsored crews, 46 percent of attacks came from North Korea, while Russia, Iran, and China each accounted for around 18 percent of the activity.

I kind of agree.

[PsychoSlashDot]

It's not much different from a .BAT file that's got the naughty bits at line/column 110,000. There's only so much you can do while allowing a general-purpose computer to do useful things. The answer is least-privilege permissions and blocking executables of all sorts at the network perimeter. Pretty sure .LNK is on the naughty list in Outlook for instance. Obfuscated shell scripts can impact any real OS, with the impact only mitigated by permissions.

Re:I kind of agree.

[mysidia]

Yeah... LNK files are like executables. Better treat them as such: forbid them from being downloaded from the internet or opened if stored on an external USB drive. Also forbid receipt of archive files such as .ZIP containing LNK files.

Also.. I got to ask: Why is there no length maximum for the shortcut target on a LNK file?
I understand there are long filenames and they should be allowed, but allowing Megabytes of text seems bad.

Why not add a limit that LNK files with targets longer than 65,535 will be treated as valid or bring up an additional error message
the user has to confirm before it can be launched (Long or unusual LNK file target)?

Re:

[thegarbz]

Also.. I got to ask: Why is there no length maximum for the shortcut target on a LNK file?

This is fundamental to all architectural design flaws. You don't know what you don't know. At the time of creation no one considered this.

You've postulated one possible solution, but the underlying problem is more that some moron at MS doesn't recognise this as a security issue worth fixing. While the OP was right about scripts and batch files, the reality is a LNK file is neither of these, doesn't serve that purpose, and should absolutely be limited in length - now that we know how it is being exploited.

Re:

[Anonymous Coward]

i doubt parent was questioning the absence of a hard-coded cap decades ago, only the absence from contemporary OS handling

though i'd still accept "foresight is hard" as an answer, if much more weakly

Re:

[mysidia]

At the time of creation no one considered this.

What do you mean? Of course they had to have considered length limits.
And this issue has been getting abused by malware since Windows XP days.
So Microsoft has had almost 20 years to look back at that decision and address it.

These files can only be created in the first place because hackers have reverse-engineered
parts of the LNK file format and bypassed Windows' built-in functions for creating LNK files.

The Windows Explorer user interface has a limit for how

Re:

[thegarbz]

What do you mean? Of course they had to have considered length limits.

Of course, but only for the application in question. The brief was creating a LNK file so the length limits would have been >= the path length limit of FAT32 + a bit extra for software flags.
Why would they have considered an upper limit? They aren't doing math, they don't need to worry about how many bits are assigned to a number.

The Windows Explorer user interface has a limit for how many characters you can put in there

So that's even more evidence. "oh the interface limits the user anyway, no need for structural limits in the underlying file".

Re:

[Myria]

There's always "powershell.exe -command ..." to get PowerShell to download an .exe from a web server and run it.

Re:

[mysidia]

You can do that; however the user can see that the LNK is a shortcut to the Powershell command that if they check the shortcut Properties.
And a power user would immediately realize that the file is suspicious.

The Malware trick we are discussing here is one that uses a crafted LNK binary to conceal the fact that the LNK is malicious by making it so that even an experienced power users and most Windows system admins would not be able to see the text the LNK file shortcuts to (It will be invisible if you

Re:

[belg4mit]

Because TRIM() before displaying and saving the shortcut destination would be so difficult or unreasonable? Especially since the dialog already auto-selects the contents of the path field when the Shortcut tab is viewed. .LNK is more like a symlink than a shell script

Re:

[angel'o'sphere]

.LNK is more like a symlink than a shell script

Nope. You should fool around with them a bit.

Nothing to do with sym links.

They are "shortcuts" to start batch scripts - or executables - with predefined parameters. Pretty close to scripts.

A sym link/hard link in itself is just an alternative path name ... for a file.

Re:

[belg4mit]

I have. And while they offer a bit more than symlinks, it's not that much more. I think another point in favor of the symlink comparison is the ability to create shortcuts to arbitrary non-executable files and folders.

Re:

[Valgrus Thunderaxe]

That's a silly analogy. You can do basically the same thing as this 'exploit' with a BASH script on Linux.

Re:

[Targon]

A shortcut/link is purely about convenience. Sure, something you drop on your desktop to run something located in another directory is the sort of thing you would download from some web page, right? Every single operating system that allows for a symbolic link to another file or directory has this capability, it's NOT a security issue as much as, "why are you doing something stupid?". If you ask for help doing something, and someone responds by sending you instructions that tell you to wipe your hard

Re:

[DarkOx]

That isn't really true, NTFS has junction points which are more similar to symlinks on UNIX filesystems.

Shortcuts can do a bunch of things like store command line switches as well. More than that though they basically replace PIF files, they can store all kinds of things like environment variables, if the run-as, console properties, compatibility settings, ...

They are a lot more than symlinks. I am not defending the design, but they do solve a number problems and do complex things, which means attack surf

Eh

[The MAZZTer]

It was shown you can do the same thing with the Run dialog. Get the user to paste something in there where the end of what they pasted looks benign but the beginning has malicious commands. There's only so much you can do to protect users from themselves. In this case, I would also have to ask, how do the LNK files get on the user's machine in the first place? It seems to me that's probably the piece that prevents this from being considered a security issue. As Raymond Chen (Microsoft employee) sometimes quotes Douglas Adams: "It rather involved being on the other side of this airtight hatchway." If a machine is already compromised, further "exploits" aren't really security issues at that point.

Re:

[thegarbz]

It was shown you can do the same thing with the Run dialog. Get the user to paste something in there where the end of what they pasted looks benign but the beginning has malicious commands. There's only so much you can do to protect users from themselves.

There is something fundamentally different between getting a user to click on a file vs getting a user to copy and paste a long line of code in the run dialogue. While the latter is obviously user error, the former is definitely malicious obfuscation. There's no reason for a LNK file to ever be longer than even a couple of hundred characters, let alone 1MB.

The blame the user for their own security issues bullshit hasn't worked for 3 decades. This absolutely is a security issue. The Run dialogue is designed

Re:

[PsychoSlashDot]

It was shown you can do the same thing with the Run dialog. Get the user to paste something in there where the end of what they pasted looks benign but the beginning has malicious commands. There's only so much you can do to protect users from themselves.

There is something fundamentally different between getting a user to click on a file vs getting a user to copy and paste a long line of code in the run dialogue. While the latter is obviously user error, the former is definitely malicious obfuscation. There's no reason for a LNK file to ever be longer than even a couple of hundred characters, let alone 1MB.

The blame the user for their own security issues bullshit hasn't worked for 3 decades. This absolutely is a security issue. The Run dialogue is designed to do the specific thing you mention. A .LNK file is not.

While I hear what you're saying, I still don't think your conclusion follows. Windows Explorer has a 255 character file path limit, yes. But NTFS does not. It's 64k. That means both the path to the target and the actual LNK shortcut name can be 64k. Only the LNK could be to a network path, adding some. Plus you can set a custom icon on an LNK. I'm not positive it embeds the ICO into the LNK itself; it might just reference it. There are other metadata properties.

My point is that while you've said "

Re:

[DarkOx]

I wanted to respond with about the same reading all the 'why allow such big length posts'

As you point out the lower bound Microsoft could assume they could limit the strings to without break things is NT's max path length. 32k characters (utf-16) is still more than long enough to do all kinds of goofy relative path traversal obscurity, plenty of room to generate unique network targets for observation and host specific coerced authentication attacks, and many other vectors for mischief. Newer Windows release

Just wondering ...

[angel'o'sphere]

How would such a .LNK file come onto my computer? Asking for a friend ...

Seriously, there must be minimum 2 steps:
- I install the link/shortcut file, then I perfectly well know what it is doing
- someone runs to my computer when I am on the toilet and installs it

and now ---> someone has to execute it! And that would not be me, as I don't execute unknown stuff - actually do not have any unknown stuff.

Re:

[Hamsterdan]

They're common on torrent sites (Torrent Galaxy I'm looking at you)

Definitely not from Russia

[caseih]

So says the CIA and FBI.

download and run

[Lehk228]

if you already tricked the user into downloading a file and running it, just make it a malicious .exe

Why

[vbdasc]

is this "bug" 8-years old, instead of 30-years old? LNK files first appeared in Windows 95, if I remember correctly. What saves Windows 95 from being exploited? Inability to put megabytes of junk in the LNK?

Shortening in user interfaces

[peppepz]

There is a problem in general with the abbreviation of strings in user interfaces, when the length of the visual representation of a string exceeds the width of the user interface field that the programmer has designed to display it. This problem has always existed, as this 30-year old bug shows, but has become much more widespread today, when programmers don't design and test user interfaces directly but rather use tools and technologies that render the programmer's abstract description of the UI into a concrete presentation that is specific for the resolution, density and orientation of the screen that is currently displaying it. This is great in theory, but in practice what happens is that programmers only test the UI in the English language and on an expensive large screen, and then the rest of the world gets to choose between "document version 1" and "document version 2" by means of a combo box that shows two identical lines reading "document versio...". Often, with no scrollbars, no draggability, no tooltip, without anything that could let one distinguish between the two options. And sometimes even without the "..." telling that a shortening happened at all.

Re:

[cusco]

If you want to use ancient VGA resolution (vision problems?) then install Word 4, which was optimized for that display. Sure, you lose some functionality, but 99% of everything added since that version is window dressing that almost no users will ever access.

Re:

[belg4mit]

You misunderstand. The compare dialog and filename dropdowns are sized *as if* the user has a VGA display, but even for that assumption it's poorly designed. The filenames in this tiny dialog are side by side, giving the user fewer characters to compare files by, just as the OP noted.

Re:

[cusco]

Every OS is riddled with bugs, that's what happens when you have millions of lines of code. They just fixed a Linux bug last year that had been out there for something like 20 years.

It's not a bug

[weirdow]

It's a feature.

Start menu would seem to be a serious issue here

[Torodung]

The only thing that concerns me about this is some kind of installer could put one of these on the Start Menu, where it would be totally obfuscated. All start menu entries are .lnk files, and it's one click execution. So if you install some kind of malware, all you have to do is try to launch it with a malware Start Menu entry.

And that means this is a security issue, no matter what Microsoft says. Yes, it's a UI vuln. If the security issue is in the UI, it's both a UI issue and a security issue. This has be

MS only fixes media reported exploits

[atrimtab]

Nothing has changed since the 1990's when there was Mircosoft exploit every week and if you called Microsoft and asked for fix... they would not provide it.

Try running an Internet Service Provider and keep the Windows users from getting exploited. It was not possible.

The only time Microsoft would provide a quick fix was if an exploit made the nightly news. Like the "ping of death."

Question from a non-windows person

[doc1623]

I tend to use Linux and have since about 2008. I've had to use it at work, but over the years it's become more and more locked down even within IT.

Where are most of these coming from? A shortcut is put in place when the program is installed and can be written over later, with enough privilege (no idea what level on windows). I mean, they talk about government, private, and military computers. Are they coming from official packages, or some man-in the middle program installs, or ... ?