Hitman Pro LNK Exploit Protection released

It has been over 2 weeks since Microsoft’s confirmed a serious vulnerability in the handling of Windows shortcuts. At least 5 different pieces of malware have already jumped on the bandwagon and began actively exploiting the vulnerability.

There is still no official patch, presumably since every Windows version (including 64-bit) is affected and it takes time to develop and test a fix for all these versions. Notice that Windows 2000, Windows XP RTM, SP1 and SP2 won’t seem to be getting an update as these products aren’t listed in Microsoft’s advisory. But these older versions are vulnerable too!

The vulnerability is in the handling of reading icons for shortcuts (.lnk files). A special shortcut can specify to load the icon from a separate library file. The Windows Shell (SHELL32.dll) loads that library file with EXECUTE rights, causing (potentially malicious) code in that library file to run. Notice that Windows does this automatically, no user interaction required!

A few AV companies have released standalone tools, but these tools either offer protection of non-local disks only or they also block some legitimate shortcuts. Though these solutions are better than Microsoft’s workaround where all shortcuts lose their icon!

Today we have  released, as part of Hitman Pro, the LNK Exploit Protection Shell Extension. This extension prevents the vulnerability in SHELL32 to load the icon library with execute rights. The result is that the icon is still loaded but no (potentially malicious) code is run. This works on the entire computer (not just on non-local disks) and it does not block the icon of legitimate shortcuts.

More information on the exploit can be read here.

The following video illustrates how to enable and disable the LNK Exploit Protection feature.

Note: The LNK Protection provides protecton of malware exploiting the vulnerability only.

One Response to Hitman Pro LNK Exploit Protection released

  1. HackTalk says:

    Microsoft to release “out of band” update for .LNK vulnerability…

    This was a really good post I mentioned it on my blog…

%d bloggers like this: