Microsoft isn't fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there's no sign of a fix from Microsoft, which apparently considers this a low priority. The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware …
I get where the researchers are coming from, but how many users take the time to review the tooltip on a link to see which executable it's referring to? If the attacker has gotten to the point where they can get a user to click on a compromised link, the obfuscation of the link target is just gravy.
"We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update ..."
If we just block all email .LNK files, and other infectious attachments, and make every browser block them too then we might have a slightly better environment.
I have a friend who, in the very early 2000s, came into the office one morning to find the corporate IT department waiting for him with glowering looks and metaphorical (or possibly actual) baseball bats.
He was responsible for coding hardware drivers, and had written a script that would run the build overnight and e-mail him the resulting log file. However his script contained an error; when the build failed and was logged, it tried again, and again, and again... until it couldn't write any more logfile due to having filled up /home, at which point it continued as written and e-mailed the log file. Which was now 4GB in size.
Apparently it took down the company's e-mail servers across Europe and the US, and my friend was a little embarrassed, to say the least.
If experienced enough he could have rebuked with "What do you mean, there is no quota on the home drive? And the mail server does not even have a basic protection regarding largest mail size, at best right in the SMTP listener to abort such nonsense? So this could have happened at any time, for all users, just because a mail clients runs havoc or a script runs havoc? What about protection against things like that from external mails?" etc etc...
Early 2000s, a company that like so many large organizations combined technical brilliance with occasional pants-on-head instances of daftness; and its campus was badly damaged by an oil storage depot explosion shortly thereafter. And from that, it probably won't take Sherlock Holmes to figure out which company I am talking about.
And there's the server versions of W10 too (2016, 2019 and 2022) which are in support for a good while yet - there will be instances (e.g. terminal servers) where users are logging directly into these. I would assume that the server versions will also be affected by this, including the server version (2025) of Win 11.
Well, Server 2022 is a hybrid. The best of Windows 11 21h2, like smb-compression, nested-v for AMD, and robocopy.exe /iorate. But still the better Windows 10 UI. And longer updates, as already mentioned :D. A few other typical server stuff I would love to have on workstation on top, like deduplication...
>> "As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files." <<
As an operating system best practice, unless that file is executed, users should be safely able to download what the hell they like. Normalising pwns through gif images or anything else should be unacceptable.
If it's a useful element of the various vulnerabilities exploited by Russineseorkean state sponsored hackers, then one must assume there is a reason it hasn't been plugged. And the simplest explanation would be that the vulnerability hasn't been fixed is because it's also a useful tool for US spy agencies who have told MS not to fix it yet..
Yes, one could assume that. It seems more likely to me that it hasn't been fixed because it is a relatively minor thing which doesn't introduce any new vulnerability in the system and likely doesn't actually help the attacker much at all. The workflow for this exploit is that a user sees an lnk file in something they've downloaded or been sent. There is virtually no justification for doing that in the first place. If the user knows this, they won't use the lnk file and the attack fails. If the user doesn't know that and executes that, the attack proceeds. This only helps in the situation where the user is knowledgeable enough to know that these shortcut files exist, identify one, but is still willing to execute it after having a glance at its properties, properties that, with the obfuscation available, make it look like it is going to spawn a command prompt. The command that it is going to open is not visible because of the whitespace. So, if someone does look at the ostensible properties and execute it, they should expect that it opens CMD at the current location and nothing else. So they shouldn't run it anyway.
Microsoft should still try to fix this, but I agree with them that it is a low priority issue. I wouldn't be surprised that attackers have no evidence telling them that this ever helped, but it was easy to include and why not do it just in case it helps once? As another commenter pointed out, it actually makes it easier to spot automatically because it makes the file very large in comparison which normal lnk files never are.
> a user sees an lnk file in something they've downloaded or been sent
What the user will see is an icon called "Read Me" or "Important Document" or "Invoice". They won't see it is a .lnk file for the same reason they don't know if an image is in a .jpg or a .jpeg or whatever because they aren't being shown file extensions and they don't like Explorer details view, it is not friendly.
> This only helps in the situation where the user is knowledgeable enough to know that these shortcut files exist, identify one, but is still willing to execute it after having a glance at its properties
Knowing about things like the file properties dialog is for clever Register readers who know how to check for these things not the standard user who just wants to get the email done and out of the way.
"Knowing about things like the file properties dialog is for clever Register readers who know how to check for these things not the standard user who just wants to get the email done and out of the way."
That was basically my point. If someone doesn't know enough to open the properties dialog, then this whitespace padding thing does not make anything more convincing to them. Thus, all such users are irrelevant. I would hope that anyone who does know to use it also knows about lnks in files you get sent over email, and for those who don't, I would hope they recognize that opening a command prompt window alone is implausible and useless. Either of those reactions also make this a nonissue. Thus, I agree with Microsoft: low priority UI fix still worth doing, but no need to yank programmers onto an emergency patch.
Which basically says AV tools like Trend, Windows Defender etc. should be scanning .LNK files and automatically rejecting any with excessive white space and/or questionable web addresses; which given the extensive use of 365, AWS buckets, Google Drive etc. is going to be challenging.
"observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace"
If you have the Windows subsystem for Linux installed on your PC, you can do this:
find /mnt/c/ -iname "*.lnk" -exec ls -s {} \; 2> /dev/null | more
and look for large files (the .lnk files I'm seeing are all 4 blocks or less; I'm assuming "megabytes" would be much larger).
I send stderr to the bitbucket to avoid warnings about paths that Windows blocks. 'ls' of course has other flags besides -s; -S will sort the largest files to the top, but of course you'll have to wait until the command is finished to see any output.
I think 'find' has a way of printing the size (maybe in something more useful than blocks) without the -exec ls, but I don't recall what it is.
Oh please, we are on Windows. Open powershell, and don't cd around 'cause it starts in your userprofile where those files are lurking anyway... You can use -Force to make it recurse into hidden as well, and/or prepend c:\ if you want.
gci *.lnk -Recurse | where Length -gt 3000
Though I personally don't like pipes since the are slow (on every OS), so I prefer using the built-in methods of the object whenever possible. Though you must have a userprofile with a lot of files to see the difference in this example, or run it 1000 times and measure.
(gci *.lnk -Recurse).Where({$_.Length -gt 3000})
Reduce to 2000 or less if you see no output, cause 3000 bytes long .lnk files are really rare, 2000 appear more often.
using Unix find, which outputs a text-file list, which is then piped via exec through ls to get the blocks it uses... POSIX or not, it is so counter-elegant. Which shell (besides powershell) on Linux/Unix does offer actual object oriented handling? I am out of touch with Unix/Linux on that regard, but there are a ton of Linuxers here which could suggest something viable.
Or use a half way decent Explorer alternative, or any of the many file search programs, click on "find" button, put *.lnk for the name, tick find files and check subdirectories. When it is done, click on the size column to show the largest first.
Who are the likely targets people who use powershell or linux subsystem or users who like guis? Which ones need to be taught how to find nasty files?
first: It was a response to the cygwin/Linux-Subsystem variant, GUI would context derailing :D.
second: Has to be installed, on a possibly already infected machine.
third: Is faster more often than you think, even with replacements since most explorer-alternative-search-GUIs show the icons, which they get from the .exe, which triggers the AV, and so on.
fouth: Why as AC? Don't you have freedom of speech? It is not like your comment was rude, out of the line or whatever-else worthy to post as AC.
As in with all this fucking AI dross'n'shite around, how come no one - NO ONE - has thought to add a check for stupid size LNK files as a vector ?
You also find yourself asking what moron didn't put some sort of sanity check on the structure of an LNK file.
You also find yourself asking what moron didn't put some sort of sanity check on the structure of an LNK file.
that would be the one(s) that (still) don't check the size of the data before stuffing it into some buffer causing a stack and/or heap overflow that overwrites some code in memory which can then be used to execute own unsafe/unvetted code... you know... because speed! we gotta make it go as fast as possible with as much bloat as possible so we can drive increasing hardware processing power and storage capabilities... everyone needs 16TB+ of storage in their watch, fridge, and toothbrush, right???
The sanity check being what, exactly? A maximum size? Everyone knows that, as soon as you put a maximum on something, someone finds a reason why they need more than that maximum. 8.3 filenames were too short, 640 KB was not enough RAM, a 2 GB file size limit was not adequate for a filesystem, and on it goes.
So this "link file" is actually a container for Turing Complete Code ?
Effectively a *.bat file that has a *.lnk extension ?
In a sane world, system administrators would have to digitally sign ANY turing-complete thing running on their user's machines:
*.exe
*.docx with VBA inside
*.bat
*.com
*.xlsx with VBA inside
etc
Also, this $hit should by default all be executed inside some sort of sane sandbox. So that the code can - at worst - only encrypt+reconnoiter the (say) docx stuff, but not the CATIA and the *.cpp files.
With AppArmor, the Email program (e.g. Thunderbird) can be locked into a tiny subset of the entire file tree. Then any malware attack will be localized to this subset of the file tree. The user will have to move files explicity out of this subset to other locations.
Likewise, LibreOffice can be locked down with AppArmor, too.
AppArmor profiles can be created with typically less than 10 manhours of effort by a experienced Linux Admin, depending on the complexity of the access patterns of the program. It took me 10 hours for firefox. After that, the AppArmor profile can be copied to any number of systems.
https://github.com/roddhjav/apparmor.d
I've seen some pretty good demos of "nasty stuff" distributed in places like StackOverflow. "Just paste this simple command" into your shell to list files. Targeted at Linux/*NIX, which just happen to contain a bunch of tiny font commands that you really shouldn't be running.
Or e-mails that are a few hundred kb long, appearing to have one line of text. My terminal e-mail reader doesn't do fonts. And it certainly doesn't auto-execute stuff either.
We have to wean users off the expectation that this "magic" technology will automatically entertain them with dancing cat videos at the click of one button.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
