Skip to content ↓ | Skip to navigation ↓

During my talk at DEF CON 23 last week, I discussed my experience developing USB based trojans and highlighted the fact that attempts to patch these vulnerabilities have done little to mitigate the risks associated with this attack vector. The revelation of CVE-2015-0096, which is a continuation of CVE-2010-2568, was believed to have been patched by MS10-046. However, it was not completely and we see this with MS15-018.

The original CVE-2010-2568 was one of a string of zero day vulnerabilities exploited by Stuxnet. This particular exploit served as the initial attack vector on a flash drive targeting Windows systems that allowed quick execution of a payload from a connected USB device. The vulnerability takes advantage of Windows use of .LNK files to define shortcuts to other files or directories, to use custom icons from .CPL files which can be used to run malicious code in the Windows shell as the current user.

There are currently not only active exploits available targeting this vulnerability, but active campaigns being seen in the wild. The vulnerability also affects most versions of Windows from Vista to Windows 10, Windows RT, and Server 2008 to 2012. All affected systems should be identified and patched (MS15-018) immediately.

This particular vulnerability raises some challenges for industrial environments and others as it requires a reboot of the system, which may not be an immediate possibility for some systems.

HP released a video demonstrating the vulnerability, where browsing to a folder that has a malicious .LNK file initiates code execution.