Software Engineering Institute

Microsoft Windows supports the use of shortcut or LNK files. A LNK file is a reference to a local file. A PIF file is a shortcut to a MS-DOS application. Clicking on a LNK or PIF file has essentially the same outcome as clicking on the file that is specified as the shortcut target. For example, clicking a shortcut to calc.exe will launch calc.exe, and clicking a shortcut to readme.txt will open readme.txt with the associated application for handling text files.

Microsoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing dynamic icon functionality. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of a shortcut file, an attacker can specify a malicious DLL that is to be processed within the context of the Windows Control Panel, which will result in arbitrary code execution. The specified code may reside on a USB drive, local or remote filesystem, a CD-ROM, or other locations. Viewing the location of a shortcut file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive, such as a USB thumb drive, is connected. Other applications that display file icons can be used as an attack vector for this vulnerability as well. When used in conjunction with a WebDav resource, Internet Explorer can be used as an attack vector for this vulnerability. With the case of Internet Explorer, no user interaction beyond viewing a web page is required to trigger the vulnerability.

This vulnerability is being exploited in the wild to spread malware (stuxnet) that targets control systems. Exploit code for this vulnerability is publicly available.

By convincing a user to display a specially-crafted shortcut file, an attacker may be able to execute arbitrary code with the privileges of the user. Depending on the operating system and AutoRun/AutoPlay configuration, this can happen automatically by connecting a USB device. This vulnerability can also be triggered by viewing a web page with Internet Explorer or opening a document with Microsoft Office.

Apply an update
This issue is addressed in Microsoft Security Bulletin MS10-046. Also consider the following workarounds:

Disable the displaying of icons for shortcuts

According to Microsoft Security Advisory 2286198:

Note See Microsoft Knowledge Base Article 2286198 to use the automated Microsoft Fix it solution to enable or disable this workaround.

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

1. Click Start, click Run, type Regedit in the Open box, and then click OK.
2. Locate and then click the following registry key:
   HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
3. Click the File menu and select Export.
4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save.
   Note This will create a backup of this registry key in the My Documents folder by default
5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
6. Locate and then click the following registry key:
   HKEY_CLASSES_ROOT\piffile\shellex\IconHandler
7. Click the File menu and select Export.
8. In the Export Registry File dialog box, enter PIF_Icon_Backup.reg and click Save.
   Note This will create a backup of this registry key in the My Documents folder by default.
9. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
10. Log all users off and on again, or restart the computer.

1. Click Start, click Run, type Services.msc and then click OK.
2. Right-click WebClient service and select Properties.
3. Change the Startup type to Disabled. If the service is running, click Stop.
4. Click OK and exit the management application.