Network Security, Patch/Configuration Management, Vulnerability Management

Microsoft repairs shortcut flaw leading to SCADA malware

Microsoft on Monday released an emergency fix for a Windows vulnerability that is being exploited to launch attacks against industrial control systems.

The patch (MS10-046) fixes a flaw involving the way the operating system handles shortcut files (.lnk). It affects Windows 7, Vista, XP, Server 2008 and Server 2008 R2.

The flaw permits a malicious .lnk file installed on a USB device to run a Dynamic Link Library (DLL), and a machine can be infected simply by a user viewing the related icon, security experts have said.

The out-of-band update, the third such emergency fix this year from Microsoft, comes as a new strain of malware pounces on the vulnerability, leading to a dramatic increase in attempted exploits.

The Stuxnet worm initially was responsible for most of the attack attempts, but according to the software company's Malware Protection Center, the Sality malware family now has overtaken Stuxnet in terms of prevalence.

"Sality is a highly virulent strain," according to a Friday blog post. "It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security and then download other malware. It is also a very large family — one of the most prevalent families this year."

What makes this vulnerability so unique is that many of its exploits have been targeting SCADA (supervisory control and data acquisition) systems.

But because many of those systems run on older operating systems no longer supported by Microsoft, they will not be patched, said Andrew Storms, director of security operations at vulnerability management firm nCircle.

"Utility companies that know they cannot upgrade are fully aware their systems contain a public vulnerability that is being exploited," Storms said. "Utility companies and SCADA vendors are probably scrambling to find a resolution to this problem as quickly as possible. All users that haven't upgraded from XP Service Pack 2 will also remain vulnerable. Today's patch is another powerful reason for XP users to take advantage of the free upgrade and move sooner rather than later.”

In the days following Microsoft's disclosure of the bug on July 16, most of the attempts to infect systems turned up in Iran. Since then, the the United States and Brazil have been hit particularly hard, according to Lumension, a  vulnerability management company.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.