Vulnerability Note VU#824672
Microsoft Windows automatically executes code specified in shortcut files
Microsoft Windows automatically executes code specified in shortcut (LNK) files.
Microsoft Windows supports the use of shortcut or LNK files. A LNK file is a reference to a local file. Clicking on a LNK or file has essentially the same outcome as clicking on the file that is specified as the shortcut target. For example, clicking a shortcut to calc.exe will launch calc.exe, and clicking a shortcut to readme.txt will open readme.txt with the associated application for handling text files.
Microsoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing dynamic icon functionality. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of a shortcut file, an attacker can specify a malicious DLL that is to be processed within the context of the Windows Control Panel, which will result in arbitrary code execution. The specified code may reside on a USB drive, local or remote filesystem, a CD-ROM, or other locations. Viewing the location of a shortcut file with Windows Explorer is sufficient to trigger the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well.
By convincing a user to display a specially-crafted shortcut file, an attacker may be able to execute arbitrary code with the privileges of the user. Depending on the operating system and AutoRun/AutoPlay configuration, this can happen automatically by connecting a USB device.
Apply an update
Block outgoing SMB traffic
To disable WebDAV on a Windows client, set the Startup type property for the WebClient service to Disabled. Note that this may interfere with the ability to access features that utilize WebDAV, such as some aspects of Microsoft SharePoint.
On the network
WebDAV can be blocked at the network level by blocking the methods used by the WebDAV extension to HTTP. See Blocking WebDAV methods for an example of how to accomplish this. Check with your firewall vendor for more details.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||03 Aug 2017|
CVSS Metrics (Learn More)
This document was written by Will Dormann.
- CVE IDs: CVE-2017-8464
- Date Public: 13 Jun 2017
- Date First Published: 03 Aug 2017
- Date Last Updated: 09 Aug 2017
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.