back to article Microsoft isn't fixing 8-year-old shortcut exploit abused for spying

An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there's no sign of a fix from Microsoft, which apparently considers this a low priority. The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware …

  1. Throatwarbler Mangrove Silver badge
    Windows

    Meh

    I get where the researchers are coming from, but how many users take the time to review the tooltip on a link to see which executable it's referring to? If the attacker has gotten to the point where they can get a user to click on a compromised link, the obfuscation of the link target is just gravy.

    1. ecofeco Silver badge
      Facepalm

      Re: Meh

      Why should it exist at all?

  2. Version 1.0 Silver badge
    Windows

    "We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update ..."

    If we just block all email .LNK files, and other infectious attachments, and make every browser block them too then we might have a slightly better environment.

    1. David 132 Silver badge

      Watching out for any .lnk files that are, to quote the article, "megabytes" in size rather than the usual 2-4KB, would also be common-sense.

      1. Yorick Hunt Silver badge
        Facepalm

        Tell that to the dolts who complain about not being able to e-mail their 2Gb video file, "but I took it on my 'phone, it's only a few minutes long!"

        1. David 132 Silver badge

          I have a friend who, in the very early 2000s, came into the office one morning to find the corporate IT department waiting for him with glowering looks and metaphorical (or possibly actual) baseball bats.

          He was responsible for coding hardware drivers, and had written a script that would run the build overnight and e-mail him the resulting log file. However his script contained an error; when the build failed and was logged, it tried again, and again, and again... until it couldn't write any more logfile due to having filled up /home, at which point it continued as written and e-mailed the log file. Which was now 4GB in size.

          Apparently it took down the company's e-mail servers across Europe and the US, and my friend was a little embarrassed, to say the least.

          1. Wexford

            Hopefully corporate IT learned its lesson and implemented user disk quotas. No single user should be able to take down a system like that.

          2. Jou (Mxyzptlk) Silver badge

            If experienced enough he could have rebuked with "What do you mean, there is no quota on the home drive? And the mail server does not even have a basic protection regarding largest mail size, at best right in the SMTP listener to abort such nonsense? So this could have happened at any time, for all users, just because a mail clients runs havoc or a script runs havoc? What about protection against things like that from external mails?" etc etc...

            1. David 132 Silver badge
              Happy

              Early 2000s, a company that like so many large organizations combined technical brilliance with occasional pants-on-head instances of daftness; and its campus was badly damaged by an oil storage depot explosion shortly thereafter. And from that, it probably won't take Sherlock Holmes to figure out which company I am talking about.

      2. collinsl Silver badge

        Does the "megabytes of white space" get compressed though? It may not show up if it's all zeroes.

    2. Rich 2 Silver badge

      Or just block all windows machines from accessing any network whatsoever. That would improve overall security immeasurably

      1. Jou (Mxyzptlk) Silver badge

        But what about USB, 5 1/4 inch floppies, and core memory? Oh, no problem, we remove all storage too. And let's not forget the main culprit here: The CPU which is executing those instructions! How dare it to!

    3. Roland6 Silver badge

      > If we just block all email .LNK files

      365 will fall apart.

      It seems the default behaviour when using 365 Outlook is for attachments to added as .LNKs…

  3. williamyf Bronze badge

    If they fixing for Win11, backporting to Win10 is trivial. If they wait for Win12 to fix it, they may have a chance not fixing it for Win10 or 11. And please remember that Win10 remains supported in one form or another until ~ 2033

    1. Anonymous Coward
      Anonymous Coward

      And there's the server versions of W10 too (2016, 2019 and 2022) which are in support for a good while yet - there will be instances (e.g. terminal servers) where users are logging directly into these. I would assume that the server versions will also be affected by this, including the server version (2025) of Win 11.

      1. williamyf Bronze badge

        Correct, but "PRECISELY" is server 2022 the one that goes out of support in 2033 ;-)

      2. Jou (Mxyzptlk) Silver badge

        Well, Server 2022 is a hybrid. The best of Windows 11 21h2, like smb-compression, nested-v for AMD, and robocopy.exe /iorate. But still the better Windows 10 UI. And longer updates, as already mentioned :D. A few other typical server stuff I would love to have on workstation on top, like deduplication...

  4. Anonymous Coward
    Anonymous Coward

    >> "As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files." <<

    As an operating system best practice, unless that file is executed, users should be safely able to download what the hell they like. Normalising pwns through gif images or anything else should be unacceptable.

  5. Jou (Mxyzptlk) Silver badge

    Microsoft is right

    It IS an UI issue.

    But: Microsoft and UI. That is the issue.

    So many tiny thing which could have been improved with Windows 11 compared to the (mostly usable) Win10 UI.

    1. Like a badger

      Re: Microsoft is right

      If it's a useful element of the various vulnerabilities exploited by Russineseorkean state sponsored hackers, then one must assume there is a reason it hasn't been plugged. And the simplest explanation would be that the vulnerability hasn't been fixed is because it's also a useful tool for US spy agencies who have told MS not to fix it yet..

      1. doublelayer Silver badge

        Re: Microsoft is right

        Yes, one could assume that. It seems more likely to me that it hasn't been fixed because it is a relatively minor thing which doesn't introduce any new vulnerability in the system and likely doesn't actually help the attacker much at all. The workflow for this exploit is that a user sees an lnk file in something they've downloaded or been sent. There is virtually no justification for doing that in the first place. If the user knows this, they won't use the lnk file and the attack fails. If the user doesn't know that and executes that, the attack proceeds. This only helps in the situation where the user is knowledgeable enough to know that these shortcut files exist, identify one, but is still willing to execute it after having a glance at its properties, properties that, with the obfuscation available, make it look like it is going to spawn a command prompt. The command that it is going to open is not visible because of the whitespace. So, if someone does look at the ostensible properties and execute it, they should expect that it opens CMD at the current location and nothing else. So they shouldn't run it anyway.

        Microsoft should still try to fix this, but I agree with them that it is a low priority issue. I wouldn't be surprised that attackers have no evidence telling them that this ever helped, but it was easy to include and why not do it just in case it helps once? As another commenter pointed out, it actually makes it easier to spot automatically because it makes the file very large in comparison which normal lnk files never are.

        1. Anonymous Coward
          Anonymous Coward

          Re: Microsoft is right

          > a user sees an lnk file in something they've downloaded or been sent

          What the user will see is an icon called "Read Me" or "Important Document" or "Invoice". They won't see it is a .lnk file for the same reason they don't know if an image is in a .jpg or a .jpeg or whatever because they aren't being shown file extensions and they don't like Explorer details view, it is not friendly.

          > This only helps in the situation where the user is knowledgeable enough to know that these shortcut files exist, identify one, but is still willing to execute it after having a glance at its properties

          Knowing about things like the file properties dialog is for clever Register readers who know how to check for these things not the standard user who just wants to get the email done and out of the way.

          1. doublelayer Silver badge

            Re: Microsoft is right

            "Knowing about things like the file properties dialog is for clever Register readers who know how to check for these things not the standard user who just wants to get the email done and out of the way."

            That was basically my point. If someone doesn't know enough to open the properties dialog, then this whitespace padding thing does not make anything more convincing to them. Thus, all such users are irrelevant. I would hope that anyone who does know to use it also knows about lnks in files you get sent over email, and for those who don't, I would hope they recognize that opening a command prompt window alone is implausible and useless. Either of those reactions also make this a nonissue. Thus, I agree with Microsoft: low priority UI fix still worth doing, but no need to yank programmers onto an emergency patch.

            1. Roland6 Silver badge

              Re: Microsoft is right

              Which basically says AV tools like Trend, Windows Defender etc. should be scanning .LNK files and automatically rejecting any with excessive white space and/or questionable web addresses; which given the extensive use of 365, AWS buckets, Google Drive etc. is going to be challenging.

          2. Teal Bee

            Re: Microsoft is right

            This article is specifically about those users who check. What you said is correct but it's barking at the wrong tree.

  6. mcswell

    "observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace"

    If you have the Windows subsystem for Linux installed on your PC, you can do this:

    find /mnt/c/ -iname "*.lnk" -exec ls -s {} \; 2> /dev/null | more

    and look for large files (the .lnk files I'm seeing are all 4 blocks or less; I'm assuming "megabytes" would be much larger).

    I send stderr to the bitbucket to avoid warnings about paths that Windows blocks. 'ls' of course has other flags besides -s; -S will sort the largest files to the top, but of course you'll have to wait until the command is finished to see any output.

    I think 'find' has a way of printing the size (maybe in something more useful than blocks) without the -exec ls, but I don't recall what it is.

    1. Jou (Mxyzptlk) Silver badge

      Oh please, we are on Windows. Open powershell, and don't cd around 'cause it starts in your userprofile where those files are lurking anyway... You can use -Force to make it recurse into hidden as well, and/or prepend c:\ if you want.

      gci *.lnk -Recurse | where Length -gt 3000

      Though I personally don't like pipes since the are slow (on every OS), so I prefer using the built-in methods of the object whenever possible. Though you must have a userprofile with a lot of files to see the difference in this example, or run it 1000 times and measure.

      (gci *.lnk -Recurse).Where({$_.Length -gt 3000})

      Reduce to 2000 or less if you see no output, cause 3000 bytes long .lnk files are really rare, 2000 appear more often.

      using Unix find, which outputs a text-file list, which is then piped via exec through ls to get the blocks it uses... POSIX or not, it is so counter-elegant. Which shell (besides powershell) on Linux/Unix does offer actual object oriented handling? I am out of touch with Unix/Linux on that regard, but there are a ton of Linuxers here which could suggest something viable.

      1. Anonymous Coward
        Anonymous Coward

        Or use a half way decent Explorer alternative, or any of the many file search programs, click on "find" button, put *.lnk for the name, tick find files and check subdirectories. When it is done, click on the size column to show the largest first.

        Who are the likely targets people who use powershell or linux subsystem or users who like guis? Which ones need to be taught how to find nasty files?

        1. Jou (Mxyzptlk) Silver badge

          first: It was a response to the cygwin/Linux-Subsystem variant, GUI would context derailing :D.

          second: Has to be installed, on a possibly already infected machine.

          third: Is faster more often than you think, even with replacements since most explorer-alternative-search-GUIs show the icons, which they get from the .exe, which triggers the AV, and so on.

          fouth: Why as AC? Don't you have freedom of speech? It is not like your comment was rude, out of the line or whatever-else worthy to post as AC.

          1. Anonymous Coward
            Anonymous Coward

            "fouth: Why as AC? Don't you have freedom of speech? It is not like your comment was rude, out of the line or whatever-else worthy to post as AC."

            Why not use AC? Why get bothered about it, if the comment wasn't rude or whater?

    2. randomblock1

      find /mnt/c/ -iname "*.lnk" -size +2k -printf "%s %p\n" 2>/dev/null

      Adjust size as needed.

      1. Roland6 Silver badge

        > Adjust size as needed.

        I thought the .LNK file contained a hyperlink, which MS limited to 255 characters - which is always causing me problems with 365…

  7. BogdanSTORM

    Awwww poor occident

    I am so worried about the occident being targeted, because this cannot be used at all by them against the bad guys from "the rest of the world".

    So bad it's this Microsoft company. Tztztz

  8. AskJeevesAI

    Microsoft has ALWAYS been in BETA mode..........WE are their testlab rats.......its crazy how we are happy to run beta versions of everything on the public internet........ALL FOR THE NOSEY EYES TO LOOK UPON...ARPANET.......INTERNET SPY MACHINE

    1. IGotOut Silver badge

      Jake? New Account?

  9. JimmyPage
    Mushroom

    It's not a UI issue. It's an AI issue.

    As in with all this fucking AI dross'n'shite around, how come no one - NO ONE - has thought to add a check for stupid size LNK files as a vector ?

    You also find yourself asking what moron didn't put some sort of sanity check on the structure of an LNK file.

    1. waldo kitty
      Facepalm

      Re: It's not a UI issue. It's an AI issue.

      You also find yourself asking what moron didn't put some sort of sanity check on the structure of an LNK file.

      that would be the one(s) that (still) don't check the size of the data before stuffing it into some buffer causing a stack and/or heap overflow that overwrites some code in memory which can then be used to execute own unsafe/unvetted code... you know... because speed! we gotta make it go as fast as possible with as much bloat as possible so we can drive increasing hardware processing power and storage capabilities... everyone needs 16TB+ of storage in their watch, fridge, and toothbrush, right???

    2. doublelayer Silver badge

      Re: It's not a UI issue. It's an AI issue.

      The sanity check being what, exactly? A maximum size? Everyone knows that, as soon as you put a maximum on something, someone finds a reason why they need more than that maximum. 8.3 filenames were too short, 640 KB was not enough RAM, a 2 GB file size limit was not adequate for a filesystem, and on it goes.

  10. fg_swe Silver badge

    Hamburger Computing Insanity

    So this "link file" is actually a container for Turing Complete Code ?

    Effectively a *.bat file that has a *.lnk extension ?

    In a sane world, system administrators would have to digitally sign ANY turing-complete thing running on their user's machines:

    *.exe

    *.docx with VBA inside

    *.bat

    *.com

    *.xlsx with VBA inside

    etc

    Also, this $hit should by default all be executed inside some sort of sane sandbox. So that the code can - at worst - only encrypt+reconnoiter the (say) docx stuff, but not the CATIA and the *.cpp files.

  11. fg_swe Silver badge

    Free Enterprise Fix: Use Linux+AppArmor

    With AppArmor, the Email program (e.g. Thunderbird) can be locked into a tiny subset of the entire file tree. Then any malware attack will be localized to this subset of the file tree. The user will have to move files explicity out of this subset to other locations.

    Likewise, LibreOffice can be locked down with AppArmor, too.

    AppArmor profiles can be created with typically less than 10 manhours of effort by a experienced Linux Admin, depending on the complexity of the access patterns of the program. It took me 10 hours for firefox. After that, the AppArmor profile can be copied to any number of systems.

    https://github.com/roddhjav/apparmor.d

  12. Paul Hovnanian Silver badge

    Not just Windows

    I've seen some pretty good demos of "nasty stuff" distributed in places like StackOverflow. "Just paste this simple command" into your shell to list files. Targeted at Linux/*NIX, which just happen to contain a bunch of tiny font commands that you really shouldn't be running.

    Or e-mails that are a few hundred kb long, appearing to have one line of text. My terminal e-mail reader doesn't do fonts. And it certainly doesn't auto-execute stuff either.

    We have to wean users off the expectation that this "magic" technology will automatically entertain them with dancing cat videos at the click of one button.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like