Microsoft is issuing an out-of-band patch today to address rising attacks against the Windows shortcut vulnerability discovered last month. The update comes just over a week ahead of the regularly scheduled Patch Tuesday for the month of August, but leaves Windows 2000 and Windows XP SP2 systems to fend for themselves.
The Microsoft Malware Protection Center noted “Although there have been multiple [malware] families that have picked up this vector, one in particular caught our attention this week–a family named Sality, and specifically Sality.AT. Sality is a highly virulent strain. It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security, and then download other malware. It is also a very large family–one of the most prevalent families this year.”
To protect customers against a rising tide of attacks–like Sality–which exploit the LNK flaw in Windows, Microsoft expedited the release of the patch.
Qualys CTO Wolfgang Kandek points out in a blog post that “Primary attack vectors for the LNK vulnerability are USB sticks and shared drives, the attack depends on a specially crafted LNK file and a custom DLL to function. Remote attacks through e-mail or websites are theoretically possible, but require multiple steps and user interaction.”
Kandek explained “Windows 2000 and XP SP2 users will not be covered and are now in a predicament that will become increasingly urgent. Attacks will continue to become more prevalent and their defensive options are limited.”
Microsoft does provide advice for a workaround that could mitigate the risk on these legacy platforms in security advisory KB2286198. However, implementing the workaround seriously impedes the usability of the Windows system. All desktop icons are disabled–replaced with a blank white sheet, and network navigation is affected as well.
Many companies face hurdles in migrating to newer operating system platforms. Reliance on archaic legacy applications which are not compatible with a newer OS like Windows 7 for critical business functions means hanging on to outdated Windows platforms. Some companies simply feel that the current environment is working fine and there is no compelling reason to invest the time and money required to upgrade.
Regardless of the justification for clinging to unsupported Windows operating systems, the time has come to seriously evaluate the alternatives to that decision. IT admins managing legacy Windows platforms are already at a disadvantage because Windows 2000 and Windows XP don’t have the improved security features included in Windows 7. Now that support for those platforms has expired, IT admins must face new threats and exploits without any patches or updates from Microsoft.
IT admins can provide additional protection against remote attempts to exploit this vulnerability by disabling the SMB and WebDAV protocols for outbound traffic on Internet-facing firewalls.
There are mitigations and workarounds, but IT admins can only stop the dam from breaking for so long. It’s time for companies to seriously look at applying SP3 if they are running Windows XP, or simply upgrading the operating system entirely and making the move to Windows 7.