carloscastilla - Fotolia

How are Windows shortcut files vulnerable to attacks?

A Windows vulnerability targets shortcut files and enables hackers to automatically execute code. Expert Judith Myerson explains the flaw and how to stop it.

A vulnerability in Microsoft Windows enables attackers to automatically execute code in shortcut files. How does this attack work, and how can it be prevented?

We all use Windows shortcut files in the Control Panel, Explorer and Taskbar. Except for security professionals, many do it without a second thought. Microsoft supports the use of LNK files for fast access to executables or applications.

When Windows displays Control Panel items, it will initialize each object to provide dynamic icon functionality. A Control Panel applet will execute code when the icon is displayed in Windows.

An attacker can specify a malicious dynamic-link library (DLL) and arbitrary code and put them on a USB drive, a local or remote file system, a CD-ROM, or in other locations. A USB drive could be used to automatically load the code onto the dynamic icon in the Windows Control Panel. Viewing the location of shortcut files with Windows Explorer is sufficient to trigger the vulnerability.

Other applications that display the file icons can be used as attack vectors. The LNK files use SpecialFolderDataBlock or KnownFolderDataBlock attributes to specify the location. These files can bypass the whitelisting first implemented in the fix for this Windows vulnerability, also known as CVE-2010-2568. This bypass can be used to trick Windows into loading an arbitrary DLL file. When a victim displays maliciously crafted shortcut files, an attacker can execute arbitrary code with the privileges of the user.

Users can protect shortcut files using a three-step solution:

  1. block server message block (SMB) outgoing traffic;
  2. disable WebDav on the client's side; and,
  3. block WebDAV outgoing traffic.

To stop SMB outgoing traffic, block connections on ports 139/TCP, 139/UDP, 445/TCP and 445/UDP. This will prevent machines on the local network from connecting to SMB servers.

To disable WebDAV on a Windows client, set the Startup type property for the WebClient service to Disabled. WebDAV outgoing traffic can be blocked at the network level by blocking the methods used by the WebDAV extension to HTTP.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to license Windows 10 virtual desktops

Discover how to best configure Windows security settings

Find out how code-reuse attacks bypass Windows 10 security features

This was last published in October 2017

Dig Deeper on Threats and vulnerabilities