Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
Redmond blames Windows users, rather than solve 30-year-old bug—exploited since 2017.
Researchers found a nasty Windows vulnerability, but Microsoft sat on it for six months. It’s easy to exploit and it allows full control over the victim’s PC. At least 11 threat groups have been exploiting it for years.
And yet, Microsoft still refuses to fix it. In today’s SB Blogwatch, we ask, “When is a bug not a bug?”
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Fun with plasma.
Satya Says NO
What’s the craic? Sergiu Gatlan reports: New Windows zero-day exploited by 11 state hacking groups
“Malicious command-line arguments”
The security flaw has been exploited in widespread attacks by many state-sponsored threat groups and cybercrime gangs. [But] Microsoft tagged it as “not meeting the bar servicing” in late September and said it wouldn’t release security updates to address it.
…
This heavily exploited Windows vulnerability (tracked as ZDI-CAN-25373) … allows attackers to exploit how Windows displays shortcut (.LNK) files to evade detection and execute code on vulnerable devices without the user’s knowledge. Threat actors [hide] malicious command-line arguments within .LNK shortcut files using padded whitespaces added to the COMMAND_LINE_ARGUMENTS structure.
Who found it? Our own Jeffrey Burt has more: China, Russia, North Korea Hackers Exploit Windows Security Flaw
“Suggesting users not to open it”
The bad actors since at least 2017 have targeted government, military, and critical infrastructure organizations in the United States, Canada, Europe, Asia, and elsewhere by abusing a vulnerability that allows the attackers to run hidden malicious commands on victims’ systems, according to threat researchers with Trend Micro’s Zero Day Initiative. … ZDI researchers uncovered almost 1,000 malicious .LNK files – though said the actual number of such files could be much higher – created by state-sponsored, state-adjacent, and financially motivated groups that exploit the vulnerability that are disguised as harmless types of files, such as a document, in hopes that the victims will manually execute them, which puts the malicious commands in motion.
…
The bulk of the state-sponsored APT groups … come from North Korea, with others coming from Iran, … Russia … and China. … ZDI linked a number of state-sponsored groups to the campaigns, including Kimsuky (also known as APT43 and Earth Kumiho), Konni (Earth Imp), APT37 (ScarCruft, InkySquid, Earth Manticore) from North Korea, … Bitter (Earth Anansi) [and] Evil Corp, a notorious Russian cybercrime group.
…
A Microsoft spokesperson [said] the company’s Defender security product can detect and block such threat activity, that its Smart App Control also will block malicious files, and that trying to open a .LNK file downloaded from the internet automatically produces a warning suggesting users not to open it.
Horse’s mouth? Peter Girnus and Aliakbar Zahravi have an ax to grind: Windows Shortcut Exploit Abused as Zero-Day
“Microsoft classified this as low severity”
We submitted a proof-of-concept exploit … to Microsoft, who declined to address this vulnerability. … We have identified a substantial volume of telemetry indicating that a diverse range of state-sponsored and cybercriminal threat actors have been targeting multiple sectors.
…
ZDI-CAN-25373 is an example of User Interface (UI) Misrepresentation of Critical Information (CWE-451). This means that the Windows UI failed to present the user with critical information. [Yet] Microsoft classified this as low severity.
Wait, this makes no sense: “Not meeting the bar servicing”? duxup tries to decode the Microspeke:
This reads like someone at Microsoft looked at the issue and decided that this issue is technically “not my job.”
Could the ’softies have a point? Jou (Mxyzptlk) thinks Microsoft is right (kinda):
It is a UI issue.
But: Microsoft and UI: That is the issue.
So many tiny things that could have been improved with Windows 11 compared to the (mostly usable) Win10 UI.
Tell me more about this CWE-451 type of vuln? peppepz has a go:
There is a problem in general with the abbreviation of strings in user interfaces, when the length of the visual representation of a string exceeds the width of the user interface field that the programmer has designed.
…
This problem has always existed, as this 30-year old bug shows, but has become much more widespread today, when programmers don’t design and test user interfaces directly but rather use tools and technologies that render the programmer’s abstract description of the UI into a concrete presentation that is specific for the resolution, density and orientation of the screen that is currently displaying it. This is great in theory, but in practice what happens is that programmers only test the UI in the English language and on an expensive large screen, and then the rest of the world gets to choose between “document version 1” and “document version 2” by means of a combo box that shows two identical lines reading “document versio…”
But how does that help us understand this problem? AStonesThrow gets closer:
.LNK is just a special case of scripting executable file. … Security warnings are already enabled for an untrusted .LNK downloaded from the Internet. … Unfortunately, typical users aren’t sophisticated enough to recognize that a .LNK is an arbitrarily-coded script file, nor to inspect it closely enough when these Evil North Koreans found a way to obfuscate it.
…
.LNK format … is a signature design feature of Windows 95 and later. It’s working as intended, as a soft-link to some other type of file. So of course it is supposed to depict the handler that opens link target, and hide the shortcut-ness. … The bottom line is that users are accustomed to reading ideograms, animations, and GUI cues just as well, or better, than the accompanying text, and graphical expressions are becoming mandatory in order to properly describe a button, a widget, an application, or whatever GUI element is in question.
Meanwhile, Like a badger pulls on their tinfoil hat:
If it’s a useful element of the various vulnerabilities exploited by Russineseorkean state sponsored hackers, then one must assume there is a reason it hasn’t been plugged. And the simplest explanation would be that … it’s also a useful tool for US spy agencies who have told MS not to fix it.
And Finally:
Hat tip: Tom Scott
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Geraldine le Meur (cc:by; leveled and cropped)