I have spent the last three days looking at how we can best protect ourselves against the latest Windows zero day vulnerability, aside from running up to date anti-virus software. We have named this exploit CPLINK within SophosLabs referring to the fact that it is a Control Panel .lnk exploit. To begin the exercise I followed Microsoft’s advice and disabled the rendering of icons…
You will see that my taskbar is nearly entirely unusable and I won’t even expose you to My Documents. While Microsoft’s advice seems to hold true (The iTunes icon actually rendering makes me suspect) it seriously degrades the usability of the Windows desktop. It is necessary if you have a complicated Windows deployment, but if you have a good standard for application deployment you can try a less drastic mitigation. I mentioned in my previous article that the use of Software Restriction Policies via GPOs is a realistic and more practicable solution to avoiding infection while awaiting a patch from Microsoft.
Michael Shannon and I had our weekly Chet Chat and talked about this in detail. Michael is a threat researcher in SophosLabs and shared his thoughts on the risk, mitigation, and how it might have happened.
Sophos Security Chet Chat episode 19 is also available as a direct MP3.
If you decide you need to disable the rendering of icons to avoid the risk of infection it is quite simple. Open regedit.exe and browse to HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler. Click the file menu to export the key so you have a backup and then clear the value.
My advice is that if you have a controlled Windows deployment you will likely know where your users are executing software that is approved. In this case you can simply create a GPO that defines where software is allowed to run and if that does not include network shares this will provide you an equivalent level of protection without the nastiness of making all your icons turn into white sheets.
Microsoft provides guidance on Software Restriction policies on their TechNet website. By creating a SRP that only allows executable files to run from designated locations (C:\, C:\Program Files, C:\Windows) or specific network locations you can reduce the risk of infection without disabling icons.
Fortunately we have not seen a lot of malware attempting to exploit this vulnerability yet. Unfortunately I predict it is only a matter of time. SANS apparently agrees as they have elevated their threat level to yellow.
Aside from the risks of this exploit we have seen a lot of drama on the cloak and dagger side of this story, mostly related to the original malware distributed using this exploit. It might be interesting reading, but my head is down trying to do what I can to understand the risk and provide sensible advice. Godspeed to Microsoft in providing us a fix, and as always SophosLabs are working on your behalf to provide the best protection we can.