Microsoft Windows LNK CVE-2017-8464. This is not the first time a LNK vulnerability has come around and caused issues for Windows machines. Probably will not be the last either. A patch is available as part of Microsoft “Patch Tuesday” for this and the rest of the 96 vulnerabilities addressed this time.
What makes this one so interesting? Well, you don’t really even need to click this LNK file. Attacker can form the LNK file and place it on his server. Open a reverse_tcp listener on that server, for example, and then direct you the victim to browse to the LNK file. If you are not running the patch and your browser then loads and displays the image your machine could then be exploited to open the reverse_tcp session. This would make your machine now controllable by the hacker.
Excerpt from Microsoft Security Bulletin:
“LNK Remote Code Execution Vulnerability (CVE-2017-8464)
A remote code execution exists in Microsoft Windows that could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
I always find the mitigating verbiage from vendors to be interesting. Users with less rights on the system would be less impacted. True, but for you the local user browsing on your home machine you are probably going to get the worst of it since most admins do not browse from their server consoles. You don’t right?
Patch, patch and make sure you are patched.
Also for those of you wondering. Yes, Deep Security IPS and Vulnerability Protection IPS from Trend Micro already have Host IPS rules in place to protect against this attack. Here are some shots from the Deep Security console of the rule you can make sure is applied to your vulnerable systems. If you are running your recommendation scans regularly on your systems and have the setting to apply recommendations automatically you likely already have this rule applied.