Reports have been circulating for a few weeks about a new attack being targeted at certain Windows users that used USB memory sticks to propagate. More details have now emerged, including confirmation from Microsoft that a new flaw exists and is being exploited.

The attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker's choosing. Any Windows application that tries to display the shortcut's icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited. Analysis suggests that the shortcuts are not improperly formed; rather they depend on a flaw in the way that Windows handles shortcuts to Control Panel icons.

The first reports of the problem came last month from Belorussian security company VirusBlokAda. The company found systems infected with the flaw through infected USB keys. The keys use the flaw to install a rootkit to hide the shortcuts, dubbed Stuxnet, including kernel-mode drivers, and a malicious payload. The rootkit is itself noteworthy: the drivers it installs are signed. The certificate used to sign them belongs to Realtek, suggesting that somehow the attackers have access to Realtek's private key. The certificate used to sign the rootkit has now been revoked by Verisign.

The current in-the-wild attacks are using USB keys to distribute the shortcuts, but the attack could equally use network shares or local disks. The malware payload appears to be designed to specifically compromise the databases used by Siemens' SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on. Siemens' software uses hardcoded passwords, making attack particularly simple.

The best option for mitigating the flaw is to disable Windows' ability to show shortcuts' icons; details on how to do this are provided in Microsoft's security bulletin. However, this mitigation comes at some cost; it removes all the icons from the Start menu, for example, which is sure to be detrimental to usability. Disabling Autorun provides slight protection, as it prevents Explorer windows from opening automatically when a USB key or CD is inserted.

Malware has used USB keys to spread before, but generally has leveraged Windows' AutoRun capability to trick users into executing the malicious software automatically. Newer versions of Windows have reduced the functionality of AutoRun to try to prevent such attacks. This use of specially-crafted shortcuts, however, undermines that protection.

Though the flaw is not itself suitable for worm-like propagation, it nonetheless represents a substantial threat to Windows systems. Microsoft has not yet made any announcement of when a patch will become available; the next Patch Tuesday is not until August 10, but if the threat is deemed severe enough a patch could be released at any time. All currently supported versions of Windows are vulnerable, including Windows 7.

Microsoft doesn't list Windows 2000 or Windows XP Service Pack 2 as vulnerable, but this is because they are no longer supported—they are just as vulnerable as more recent versions, but will not receive a patch.