Trend Micro researchers have identified a new vulnerability in Windows code. The flaw allows arbitrary code execution on a computer without the owner's consent. The breach occurs when the user interface does not correctly represent critical information to the user. In fact, it is possible to hide essential information from the user, or to manipulate the interface to manipulate them.
In this case, the attacker can use the way Windows displays shortcut files (.lnk) to execute code. Specifically, the attacker will hide malicious commands in shortcut files. The malicious instructions are actually inserted into invisible spaces in the shortcut file. When the user inspects the .LNK file in Windows Explorer, the instructions are not displayed correctly due to the added spaces. The victim therefore thinks the shortcut is harmless, even though it can execute malicious code in the background. The trick can "make the file's dangerous contents invisible to a user".
Eleven criminal gangs have exploited the flaw
Experts consider the breach a zero-day flaw. In short, the vulnerability was exploited in cyberattacks before its disclosure. Trend Micro research has shown that eleven cybercriminal groups have used the flaw in their operations since 2017. It has primarily been used by government-sponsored gangs, such as North Korea, Iran, Russia, and China. These nations are known for conducting large-scale espionage operations.
In most attacks, the vulnerability allowed viruses to be installed on the targeted machines, such as Ursnif, Gh0st RAT, and Trickbot. Nearly 70% of the attacks aimed to steal personal data. Only 20% of the attacks aimed to collect money. Trend Micro says it found nearly a thousand pieces of evidence that the flaw was exploited, but "it is likely that the total number of exploitation attempts is much higher." The majority of exploitation attempts come from North Korea. The attacks primarily target government, financial, and telecommunications companies.
Microsoft reluctant to patch the flaw
Initially, Microsoft steadfastly refused to patch the vulnerability. Trend Micro explains that it has "submitted a proof-of-concept exploit to Microsoft", that is, a method demonstrating that a vulnerability is exploitable. Despite the evidence provided by researchers, the Redmond giant has "refused to resolve this vulnerability with a security patch".
In a response to our colleagues at Bleeping Computer, Microsoft has finally clarified its position. The group suggests that all precautions are already taken to ensure that Windows users are protected against malicious files exchanged online. Indeed, "Microsoft Defender integrates detection mechanisms to identify and block this threat, while Smart App Control adds additional protection by preventing the download of malicious files from the Internet.".
Moreover, Microsoft encourages "customers to exercise caution when downloading files from unknown sources, as highlighted by security warnings, which are designed to detect and alert users to potentially harmful files." While the publisher believes that the problem described in the report does not reach a level high enough to warrant an immediate response, it is willing to look into the matter. Microsoft is discussing the possibility of a fix in a future version of Windows. To justify its initial refusal, Microsoft is hiding behind the company's current vulnerability severity classification guidelines.
Source: Trend Micro
0 Comments