CPLINK and Stuxnet – there is a silver lining

In case you’ve missed the big security story of the past few days, it’s all about the Stuxnet malware, which brought to the world’s attention a rather naughty bug in Windows – the “CPLINK shortcut vulnerability”, or just CPLINK for short.

Windows shortcuts are clickable links which launch preconfigured applications. Shortcuts are stored in small files with the extension LNK. For example, you can create a “Command Prompt” LNK file to open up a command window in the size, font and colours of your choosing. All innocent-sounding, useful stuff.

But the CPLINK vulnerability means you can craft a shortcut which pretends to link to a Control Panel applet but instead automatically runs an arbitrary program even if you only browse to the directory containing the shortcut. For USB keys, this is like AutoRun all over again. Just looking at a USB key might be enough to infect your PC.

Listening to some commentators, you might be forgiven for thinking that this is TEOTWAWKI [*], or if not actually the end of the world, at least the beginning of the end. And, indeed, this is a serious vulnerability which is not trivial to work around.

Unlike other World-Ending vulnerabilities of the past, such as MS04-028, which could infect via malformed JPEG files, CPLINK shortcuts are legitimately structured. They don’t force a crash, or a buffer overflow, or other illicit behaviour. They merely cause your PC to take an offical but ill-designed code path inside Windows. (To be more precise, inside SHELL32.DLL – so watch for that file to be patched when the fix comes out.)

So where is the silver lining I mentioned above?

Firstly, shortcuts which exploit the CPLINK vulnerability can be detected and blocked by anti-malware programs. And to infect your PC, the malicious file to which the LNK points also has to evade detection entirely. With a decent anti-malware program, correctly configured and updated, missing both an exploitative LNK and its malevolent target can be considered very unlikely.

Secondly, I suspect that CPLINK will help to focus all our minds on the general risks posed by USB devices, getting us beyond thinking only about USB malware. After all, CPLINK begs a much bigger question than “what am I to do about Stuxnet?”

What are you doing about potentially dangerous or unwanted USB devices from the outside in the first place? And why are you letting uninfected keys from inside your organisational web of trust go outside and come back modified at all?

Shouldn’t you keep any unwanted USB devices out, not just in case of malware, but in case of anything untrustworthy, including data?

Shouldn’t you protect your own as-yet uninfected USB devices from any sort of compromise, whether by malware, or by data stealing, or by any sort of cybercriminal activity?

Shouldn’t you be considering device control? Device encryption? Concerning yourself with data protection and privacy as well as security?

I know I sound like a salesman who has a hammer and is looking for a nail. (In fact, I do have a hammer, and if you have USB devices, then you already have plenty of nails. But I am not a salesman.)

Privacy and security are two sides of the same coin.

Anyone who tries to tell you otherwise is probably either a faceless bureaucrat determined to convince you that “surveillance is good for you”, or an online service desperate to commercialise your life’s detail, or a cybercriminal.

[*] TEOTWAWKI: The End Of The World As We Know It