Shortcut exploit: protect against it with this free tool

Filed Under: Malware, Microsoft, Video, Vulnerability

Shortcut exploit splat
Sophos engineers have been busy developing and testing a free tool that protects users from malware exploiting the critical zero-day vulnerability known as the "Shortcut exploit".

We have begun to see more hackers taking advantage of the exploit, spreading malware which takes advantage of Microsoft's unpatched vulnerability.

Sophos has been doing a good job of protecting its customers against this problem (we detect exploited files as Exp/Cplink). But what if you're not a Sophos user and are worried about the attacks?

We can now present, the Sophos Windows Shortcut Exploit Protection Tool. Watch the following video to see it in action:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Here are the details in a nutshell:

1. It intercepts LNK shortcut files that contain the exploit, telling you which executable code it was attempting to run. That means it will stop malicious threats which use this vulnerability if they are on non-local disks, such as a USB stick for instance.

2. You can run the tool alongside your existing anti-virus product. No need to throw the baby out with the bathwater. The tool supports Windows XP, Vista and Windows 7. It doesn't support Windows 2000.

3. Unlike Microsoft's workaround, it doesn't blank out all the shortcuts on your Windows Start Menu - meaning your life (and that of your users) will be easier.

4. It's free to download.

Want to know more? Here's the nerdy explanation:

The vulnerability, known as the shortcut exploit, is in the way that Microsoft Windows handles .LNK shortcut files. If Windows tries to display the icon of an exploited shortcut file it can run the malicious code pointed to by the shortcut, without any user interaction.

One of the ways we have seen this problem exploited is via malware infections on USB sticks - capable of running viral code even if AutoPlay and AutoRun are disabled.

The free Sophos tool installs a new icon handler for Windows shortcuts. Whenever Windows tries to display an icon corresponding to a Windows shortcut, the new icon handler will intercept this request and validate the shortcut. If the shortcut does not contain the exploit, control will be given back to Windows.

But, if the shortcut does contain an exploit, a message is displayed to the user and extraction of the dangerous icon is blocked.

A Windows shortcut is deemed to contain the exploit if it is a Control Panel shortcut, and it points to an existing file that can be opened for execution, and neither the shortcut nor the shortcut's target are on the computer's local disk.

What's really nice is that it doesn't matter what anti-virus software you're using - you can still install this free tool from Sophos, and it will work alongside your existing anti-virus.

And the Sophos Windows Shortcut Exploit Protection Tool (maybe we should have come up with a shorter name?) is a piece of cake to install. The tool can be installed and uninstalled easily and quickly. Administrators can run the installer package on the computer, and network administrators can push the installer package via Group Policies.

Hopefully soon Microsoft will release a proper patch to protect against the shortcut vulnerability, and then you can simply uninstall our tool. But in the meantime, this is neat. Very neat.

Go and get it now.

, , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley