Microsoft repairs shortcut flaw leading to SCADA malware

Share this article:

Microsoft on Monday released an emergency fix for a Windows vulnerability that is being exploited to launch attacks against industrial control systems.

The patch (MS10-046) fixes a flaw involving the way the operating system handles shortcut files (.lnk). It affects Windows 7, Vista, XP, Server 2008 and Server 2008 R2.

The flaw permits a malicious .lnk file installed on a USB device to run a Dynamic Link Library (DLL), and a machine can be infected simply by a user viewing the related icon, security experts have said.

The out-of-band update, the third such emergency fix this year from Microsoft, comes as a new strain of malware pounces on the vulnerability, leading to a dramatic increase in attempted exploits.

The Stuxnet worm initially was responsible for most of the attack attempts, but according to the software company's Malware Protection Center, the Sality malware family now has overtaken Stuxnet in terms of prevalence.

"Sality is a highly virulent strain," according to a Friday blog post. "It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security and then download other malware. It is also a very large family — one of the most prevalent families this year."

What makes this vulnerability so unique is that many of its exploits have been targeting SCADA (supervisory control and data acquisition) systems.

But because many of those systems run on older operating systems no longer supported by Microsoft, they will not be patched, said Andrew Storms, director of security operations at vulnerability management firm nCircle.

"Utility companies that know they cannot upgrade are fully aware their systems contain a public vulnerability that is being exploited," Storms said. "Utility companies and SCADA vendors are probably scrambling to find a resolution to this problem as quickly as possible. All users that haven't upgraded from XP Service Pack 2 will also remain vulnerable. Today's patch is another powerful reason for XP users to take advantage of the free upgrade and move sooner rather than later.”

In the days following Microsoft's disclosure of the bug on July 16, most of the attempts to infect systems turned up in Iran. Since then, the the United States and Brazil have been hit particularly hard, according to Lumension, a  vulnerability management company.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.