Select Page

Microsoft Windows LNK CVE-2017-8464. This is not the first time a LNK vulnerability has come around and caused issues for Windows machines. Probably will not be the last either. A patch is available as part of Microsoft “Patch Tuesday” for this and the rest of the 96 vulnerabilities addressed this time.

What makes this one so interesting? Well, you don’t really even need to click this LNK file. Attacker can form the LNK file and place it on his server. Open a reverse_tcp listener on that server, for example, and then direct you the victim to browse to the LNK file. If you are not running the patch and your browser then loads and displays the image your machine could then be exploited to open the reverse_tcp session. This would make your machine now controllable by the hacker.

Excerpt from Microsoft Security Bulletin:
“LNK Remote Code Execution Vulnerability (CVE-2017-8464)
A remote code execution exists in Microsoft Windows that could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

I always find the mitigating verbiage from vendors to be interesting. Users with less rights on the system would be less impacted. True, but for you the local user browsing on your home machine you are probably going to get the worst of it since most admins do not browse from their server consoles. You don’t right?

Patch, patch and make sure you are patched.

Also for those of you wondering. Yes, Deep Security IPS and Vulnerability Protection IPS from Trend Micro already have Host IPS rules in place to protect against this attack. Here are some shots from the Deep Security console of the rule you can make sure is applied to your vulnerable systems. If you are running your recommendation scans regularly on your systems and have the setting to apply recommendations automatically you likely already have this rule applied.

Facebook Comments

Related Post

WannaCry (CVE-2017-0145) Detect with Metasploit So by now everyone should have heard of WannaCry and all the variants. Here is a good rundown on https://en.wikipedia.org/wiki/WannaCry_ransomware_att...
Cloud App Security Gets ML and BEC for Office365 Trend Micro has announced an update to the Cloud App Security suite. For those of you not familiar with the Cloud App Security suite it covers Off...
My heartbleed demo Recently I was asked to present a live hack in front of an audience and I decided go back in time to the heartbleed bug. I say back in time bu...
Data Breach at UCF As reported by Fox 35 in Orlando, it appears the University of Central Florida is now the victim of a data breach. The data breach has resulte...
Share This