Microsoft repairs shortcut flaw leading to SCADA malware

Share this article:

Microsoft on Monday released an emergency fix for a Windows vulnerability that is being exploited to launch attacks against industrial control systems.

The patch (MS10-046) fixes a flaw involving the way the operating system handles shortcut files (.lnk). It affects Windows 7, Vista, XP, Server 2008 and Server 2008 R2.

The flaw permits a malicious .lnk file installed on a USB device to run a Dynamic Link Library (DLL), and a machine can be infected simply by a user viewing the related icon, security experts have said.

The out-of-band update, the third such emergency fix this year from Microsoft, comes as a new strain of malware pounces on the vulnerability, leading to a dramatic increase in attempted exploits.

The Stuxnet worm initially was responsible for most of the attack attempts, but according to the software company's Malware Protection Center, the Sality malware family now has overtaken Stuxnet in terms of prevalence.

"Sality is a highly virulent strain," according to a Friday blog post. "It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security and then download other malware. It is also a very large family — one of the most prevalent families this year."

What makes this vulnerability so unique is that many of its exploits have been targeting SCADA (supervisory control and data acquisition) systems.

But because many of those systems run on older operating systems no longer supported by Microsoft, they will not be patched, said Andrew Storms, director of security operations at vulnerability management firm nCircle.

"Utility companies that know they cannot upgrade are fully aware their systems contain a public vulnerability that is being exploited," Storms said. "Utility companies and SCADA vendors are probably scrambling to find a resolution to this problem as quickly as possible. All users that haven't upgraded from XP Service Pack 2 will also remain vulnerable. Today's patch is another powerful reason for XP users to take advantage of the free upgrade and move sooner rather than later.”

In the days following Microsoft's disclosure of the bug on July 16, most of the attempts to infect systems turned up in Iran. Since then, the the United States and Brazil have been hit particularly hard, according to Lumension, a  vulnerability management company.
Share this article:

Sign up to our newsletters

More in News

Latest Citadel trick allows RDP access after malware's removal

Latest Citadel trick allows RDP access after malware's ...

Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Cryptoblocker variant emerges, encryption differs from CryptoLocker

Trend Micro has detected a variant of CryptoLocker in the wild that relies on the advanced encryption standard.

Jimmy John's sandwich chain investigating possible breach

Some financial institutions have indicated that credit cards recently used at Jimmy John's locations have been used to make fraudulent purchases.