August 02, 2010

Microsoft repairs shortcut flaw leading to SCADA malware

Microsoft on Monday released an emergency fix for a Windows vulnerability that is being exploited to launch attacks against industrial control systems.

The patch (MS10-046) fixes a flaw involving the way the operating system handles shortcut files (.lnk). It affects Windows 7, Vista, XP, Server 2008 and Server 2008 R2.

The flaw permits a malicious .lnk file installed on a USB device to run a Dynamic Link Library (DLL), and a machine can be infected simply by a user viewing the related icon, security experts have said.

The out-of-band update, the third such emergency fix this year from Microsoft, comes as a new strain of malware pounces on the vulnerability, leading to a dramatic increase in attempted exploits.

The Stuxnet worm initially was responsible for most of the attack attempts, but according to the software company's Malware Protection Center, the Sality malware family now has overtaken Stuxnet in terms of prevalence.

"Sality is a highly virulent strain," according to a Friday blog post. "It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security and then download other malware. It is also a very large family — one of the most prevalent families this year."

What makes this vulnerability so unique is that many of its exploits have been targeting SCADA (supervisory control and data acquisition) systems.

But because many of those systems run on older operating systems no longer supported by Microsoft, they will not be patched, said Andrew Storms, director of security operations at vulnerability management firm nCircle.

"Utility companies that know they cannot upgrade are fully aware their systems contain a public vulnerability that is being exploited," Storms said. "Utility companies and SCADA vendors are probably scrambling to find a resolution to this problem as quickly as possible. All users that haven't upgraded from XP Service Pack 2 will also remain vulnerable. Today's patch is another powerful reason for XP users to take advantage of the free upgrade and move sooner rather than later.”

In the days following Microsoft's disclosure of the bug on July 16, most of the attempts to infect systems turned up in Iran. Since then, the the United States and Brazil have been hit particularly hard, according to Lumension, a  vulnerability management company.
Related Articles
Related Topics

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.