En los últimos días una amenaza conocida cómo CPLINK se está aprovechando de una debilidad en todos los sistemas operativos de Microsoft, desde Windows XP hasta 7.
Adjunto reportes (en inglés) de la amenaza por parte de Microsoft y Sophos.
Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
Executive Summary
Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.
The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.
Microsoft is currently working to develop a security update for Windows to address this vulnerability.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Y la nota de Sophos que ofrece una herramienta para solucionar el problema.
The Windows Shortcut Exploit
What you need to know
What is the Windows Shortcut Exploit?The Windows Shortcut Exploit, also known as CPLINK, is a zero-day vulnerability in all versions of Windows that allows a Windows shortcut link, known as an .lnk file, to run a malicious DLL file. The dangerous shortcut links can also be embedded on a website or hidden within documents.The exploit works when you open a device, network share or WebDav point carrying an infection—you don’t need to click on anything for the exploit to work, even if you have AutoPlay and AutoRun disabled.SophosLabs first saw this exploit at work through the rootkit W32/Stuxnet-B, which targets Siemens SCADA systems to discover the system default password.While Stuxnet only affected Windows machines with infected USB drives plugged in, the Windows Shortcut Exploit in general can work through file shares and WebDav as well.Am I at risk?At the moment, there is no patch from Microsoft to fix this exploit; however, our free Windows Shortcut Exploit Protection Tool will block this exploit from running on your computer. Sophos customers are already protected from this exploit.The Windows Shortcut Exploit affects all Microsoft-supported versions of Windows—anything newer than Windows XP SP3—as well as older versions.How do I protect against this?Download our free Windows Shortcut Exploit Protection Tool to block the exploit from running on your computer. If you’re an existing Sophos Endpoint customer, you are already safe from this exploit.Microsoft’s officially recommends disabling icon rendering; however, this advice could make Windows significantly harder to use.Fuente: