Microsoft is investigating reports of ongoing “targeted attacks” that reportedly exploit a serious Windows Shell vulnerability.
According to Redmond, the vulnerability has been linked to shortcuts which are “incorrectly parsed” and allow the execution of malicious code.
“This vulnerability is most likely to be exploited through removable drives,” Microsoft confirmed in an official statement.
“For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable (USB devices) is automatically disabled.”
However, Sophos researcher Graham Cluley warned that attacks can be initiated automatically via Windows Explorer – even with AutoRun and AutoPlay disabled.
“The chances of that occurring has increased over the weekend, as a hacker called Ivanlef0u published proof-of-concept code onto the Internet. What is of particular concern, of course, is that other malicious hackers might try to exploit the vulnerability – as it would certainly be a useful tool in any malware’s arsenal,” Cluley wrote in a Sophos blog post.
“In the past we’ve seen worms (Conficker is perhaps the most famous example) spread successfully via USB devices, which prompted many firms to disable AutoPlay. [So], there is [definitely] a real risk that more malware will take advantage of the zero-day exploit now the code is ‘out there,’ taking things to a whole new level.”