cross-posted from: https://lemmy.sdf.org/post/31274457
An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads.
Ordinarily, the shortcut’s target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend’s Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.
Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher.
“This is one of many bugs that the attackers are using, but this is one that is not patched and that’s why we reported it as a zero day,” Dustin Childs, head of threat awareness at the Zero Day Initiative, [said].
“We told Microsoft but they consider it a UI issue, not a security issue. So it doesn’t meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines.”
[…]
Is it a bug though? It’s like saying that the ability to put a few megabytes of new lines in a shell script is a bug. What are they smoking?
They’re also, more accurately, calling it an exploit and a security vulnerability.
Nah, it’s not a bug. Clearly, .lnk files are intended to contain megabytes of whitespace to conceal malicious links.