Microsoft Isn't Fixing 8-Year-Old Shortcut Exploit Abused For Spying (theregister.com) 19
Trend Micro uncovered an eight-year-long spying campaign exploiting a Windows vulnerability involving malicious .LNK shortcut files, which attackers padded with whitespace to conceal commands. Despite being reported to Microsoft in 2023, the company considers it a UI issue rather than a security risk and has not prioritized a fix. The Register reports: The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads. Ordinarily, the shortcut's target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend's Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.
Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher. "This is one of many bugs that the attackers are using, but this is one that is not patched and that's why we reported it as a zero day," Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register. "We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines."
After poring over malicious .LNK samples, the security shop said it found the vast majority of these files were from state-sponsored attackers (around 70 percent), used for espionage or information theft, with another 20 percent going after financial gain. Among the state-sponsored crews, 46 percent of attacks came from North Korea, while Russia, Iran, and China each accounted for around 18 percent of the activity.
Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher. "This is one of many bugs that the attackers are using, but this is one that is not patched and that's why we reported it as a zero day," Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register. "We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines."
After poring over malicious .LNK samples, the security shop said it found the vast majority of these files were from state-sponsored attackers (around 70 percent), used for espionage or information theft, with another 20 percent going after financial gain. Among the state-sponsored crews, 46 percent of attacks came from North Korea, while Russia, Iran, and China each accounted for around 18 percent of the activity.
I kind of agree. (Score:5, Informative)
Re:I kind of agree. (Score:4, Interesting)
Yeah... LNK files are like executables. Better treat them as such: forbid them from being downloaded from the internet or opened if stored on an external USB drive. Also forbid receipt of archive files such as .ZIP containing LNK files.
Also.. I got to ask: Why is there no length maximum for the shortcut target on a LNK file?
I understand there are long filenames and they should be allowed, but allowing Megabytes of text seems bad.
Why not add a limit that LNK files with targets longer than 65,535 will be treated as valid or bring up an additional error message
the user has to confirm before it can be launched (Long or unusual LNK file target)?
Re: (Score:3)
Also.. I got to ask: Why is there no length maximum for the shortcut target on a LNK file?
This is fundamental to all architectural design flaws. You don't know what you don't know. At the time of creation no one considered this.
You've postulated one possible solution, but the underlying problem is more that some moron at MS doesn't recognise this as a security issue worth fixing. While the OP was right about scripts and batch files, the reality is a LNK file is neither of these, doesn't serve that purpose, and should absolutely be limited in length - now that we know how it is being exploited.
Re: (Score:2)
Because TRIM() before displaying and saving the shortcut destination would be so difficult or unreasonable? Especially since the dialog already auto-selects the contents of the path field when the Shortcut tab is viewed. .LNK is more like a symlink than a shell script
Re: (Score:2)
Re: (Score:2)
A shortcut/link is purely about convenience. Sure, something you drop on your desktop to run something located in another directory is the sort of thing you would download from some web page, right? Every single operating system that allows for a symbolic link to another file or directory has this capability, it's NOT a security issue as much as, "why are you doing something stupid?". If you ask for help doing something, and someone responds by sending you instructions that tell you to wipe your hard
Re: (Score:2)
That isn't really true, NTFS has junction points which are more similar to symlinks on UNIX filesystems.
Shortcuts can do a bunch of things like store command line switches as well. More than that though they basically replace PIF files, they can store all kinds of things like environment variables, if the run-as, console properties, compatibility settings, ...
They are a lot more than symlinks. I am not defending the design, but they do solve a number problems and do complex things, which means attack surf
Eh (Score:4, Insightful)
Re: (Score:2)
It was shown you can do the same thing with the Run dialog. Get the user to paste something in there where the end of what they pasted looks benign but the beginning has malicious commands. There's only so much you can do to protect users from themselves.
There is something fundamentally different between getting a user to click on a file vs getting a user to copy and paste a long line of code in the run dialogue. While the latter is obviously user error, the former is definitely malicious obfuscation. There's no reason for a LNK file to ever be longer than even a couple of hundred characters, let alone 1MB.
The blame the user for their own security issues bullshit hasn't worked for 3 decades. This absolutely is a security issue. The Run dialogue is designed
Re: (Score:3)
It was shown you can do the same thing with the Run dialog. Get the user to paste something in there where the end of what they pasted looks benign but the beginning has malicious commands. There's only so much you can do to protect users from themselves.
There is something fundamentally different between getting a user to click on a file vs getting a user to copy and paste a long line of code in the run dialogue. While the latter is obviously user error, the former is definitely malicious obfuscation. There's no reason for a LNK file to ever be longer than even a couple of hundred characters, let alone 1MB.
The blame the user for their own security issues bullshit hasn't worked for 3 decades. This absolutely is a security issue. The Run dialogue is designed to do the specific thing you mention. A .LNK file is not.
While I hear what you're saying, I still don't think your conclusion follows. Windows Explorer has a 255 character file path limit, yes. But NTFS does not. It's 64k. That means both the path to the target and the actual LNK shortcut name can be 64k. Only the LNK could be to a network path, adding some. Plus you can set a custom icon on an LNK. I'm not positive it embeds the ICO into the LNK itself; it might just reference it. There are other metadata properties.
My point is that while you've said "
Re: (Score:1)
I wanted to respond with about the same reading all the 'why allow such big length posts'
As you point out the lower bound Microsoft could assume they could limit the strings to without break things is NT's max path length. 32k characters (utf-16) is still more than long enough to do all kinds of goofy relative path traversal obscurity, plenty of room to generate unique network targets for observation and host specific coerced authentication attacks, and many other vectors for mischief. Newer Windows release
Just wondering ... (Score:1, Insightful)
How would such a .LNK file come onto my computer? Asking for a friend ...
Seriously, there must be minimum 2 steps:
- I install the link/shortcut file, then I perfectly well know what it is doing
- someone runs to my computer when I am on the toilet and installs it
and now ---> someone has to execute it! And that would not be me, as I don't execute unknown stuff - actually do not have any unknown stuff.
Definitely not from Russia (Score:2)
So says the CIA and FBI.
download and run (Score:1)
Why (Score:4, Interesting)
is this "bug" 8-years old, instead of 30-years old? LNK files first appeared in Windows 95, if I remember correctly. What saves Windows 95 from being exploited? Inability to put megabytes of junk in the LNK?
Shortening in user interfaces (Score:5, Insightful)