If you’re a member of the IT security community, unless you’ve either been on vacation at the beach or hiding under a rock, you likely haven’t missed the emergence of the critical Microsoft Windows LNK zero day vulnerability first publicized over the weekend.
According to industry watchers including the Internet Storm Center (ISC) – which in a rare move shifted its Infocon threat indicator to yellow, indicating that it is “tracking a significant new threat” – widespread attacks targeting the flaw are already in motion around the globe.
Experts with SANS, the IT security training specialist organization that sponsors the ISC, have also reported that related threats, including those specifically targeting SCADA infrastructure control systems, are rapidly turning up all over the globe, with many more campaigns likely to arrive.
The involved vulnerability affects all versions of Windows, including the latest beta of Windows 7 (SP1), and allows attackers to use a malicious shortcut file, identified by the ".lnk" extension, to automatically execute malware if they can merely lure users into viewing the contents of a folder containing such a shortcut, or get them to plug an infected USB drive into their PC.
I am going to repeat that: “merely lure users into viewing the contents of a folder” – no other action is required by the victim.
Long story short, this is a big one, and organizations everywhere are likely scrambling right now to determine whether or not (or most likely where) the vulnerability has left their systems and end users open to a wide range of related threats.
That’s where our latest targeted “Vulnerability Outbreak Alert” response efforts come into play, and we’re proud to say that if you have our CORE IMPACT Pro penetration testing software in place right now, you’re already capable of doing just that.
Zeroing in on Zero Days
Core Security has never pitched itself as a “fix for the zero day problem.” For starters, as our CTO Ivan Arce is always quick to point out, anyone taking a purist view of the concept has to concede that if a flaw is a true zero day by academic standards, it has never been detailed in the public domain, at all.
And when our researchers find something new, for instance, they immediately inform the involved vendor and ask them to find a way to protect their customers ASAP, thereby eliminating the factor of it existing as an unknown/un-patched threat. We do not release an exploit until at least after a patch or workaround has been created, and a related advisory has been distributed.
As a Caveat, if attacks are being seen in the wild (again eliminating the purist zero day interpretation), we will move to disclose something new right away and release code to help our customers test their defenses.
Our exploit writers also don’t immediately respond to every zero day vulnerability hitting the wires, as their development cycle is traditionally driven by widespread issues that have already been identified as something our customers are telling us that they want to test for.
But when something this big, which affects so many organizations around the globe, and nearly all of our customers, comes out, that’s not to say they can’t push the envelope, and that’s why we hit the “go” button on our Vulnerability Outbreak Alert program, and set the wheels in motion to initiate a rapid response.
Last night the exploit and product development teams in Buenos Aires burned the midnight (and daybreak) oil, and today we’ve got a working exploit loaded into IMPACT Pro for our customers to go ahead test themselves. To see a video of the exploit in action, click here.
Of course we’d always argue that organizations that are performing ongoing penetration testing would already be best positioned to address such a flaw as they likely already know the ins-and-outs of IT infrastructure far better than those companies who are not. But it will also be vital for users to continue to test the Windows LNK flaw for a while, as it won’t be going anywhere, and even when people have attempted to employ Microsoft’s patch there’s a need to ensure that the fix has taken properly and not introduced additional risks.
It’s true, Core will never be a big “zero day company” but we’ll always keep an eye toward the wires, and more importantly the needs of our installed base, to ensure that we’re helping them address their most critical risks.
If you’re one of those organizations today, avail yourself of the new capability and test any defenses you have put in place to mitigate this vulnerability while you wait for a patch to be released.
And if you’re not, well, maybe you should make sure that you are next time this sort of situation arises.
Be proactive, pen test today.
--Alex Horan, Director of Product Management