Since the weekend there is a so-called zero day vulnerability publicly known in all supported (and even in the now unsupported) Windows operating systems. Just by browsing to a folder with a manipulated .lnk file – a shortcut to a program, document or a file in general – with Windows Explorer may lead to full system compromise. Microsoft has released a security advisory upon the issue and updated it now to state that they are developing a patch.
Since yesterday, proof-of-concept (PoC) code is publicly available which helps cyber criminals to develop malware which abuses this unfixed vulnerability. There is already a worm spreading abusing the security hole which Avira detects as RKit/Stuxnet.A. This Trojan has rootkit capabilities to hide it’s files and processes and it spreads via USB drives.
In the security advisory, Microsoft offers a workaround to mitigate the vulnerability. It consists of disabling the WebDAV service and deleting the icon handler of lnkfile in the registry. Administrators should roll this workaround out, users apply it manually as soon as possible. Due to the publicly available PoC, it is likely that malware abusing this vulnerability will be on the rise. Unfortunately, there is no “Fix-it” tool available from Microsoft yet which would reduce this task to executing the tool.
Update: Avira released updated heuristics to detect malicious .lnk files. They are detected as EXP/CVE-2010-2568.A and EXP/CVE-2010-2568.B, respectively. Avira antimalware products thus protect from this threat without needing special virus definition file updates for every new .lnk-exploit.