What is the Windows Shortcut Exploit?
The Windows Shortcut Exploit, also known as CPLINK, is a zero-day vulnerability in all versions of Windows that allows a Windows shortcut link, known as an .lnk file, to run a malicious DLL file. The dangerous shortcut links can also be embedded on a website or hidden within documents.
The exploit works when you open a device, network share or WebDav point carrying an infection—you don't need to click on anything for the exploit to work, even if you have AutoPlay and AutoRun disabled.
SophosLabs first saw this exploit at work through the rootkit W32/Stuxnet-B, which targets Siemens SCADA systems to discover the system default password.
While Stuxnet only affected Windows machines with infected USB drives plugged in, the Windows Shortcut Exploit in general can work through file shares and WebDav as well.
Am I at risk?
Sophos Endpoint customers are already protected from this exploit. We detect it as Exp/Cplink.
On August 2, 2010, Microsoft deployed an out-of-band patch to fix this exploit on all systems after and including Windows XP SP3. We recommend you download and deploy it as soon as possible.
The Windows Shortcut Exploit affects all versions of Windows; however, the official patch only works on Microsoft-supported systems: Windows XP SP3 or later. If you are using Windows XP SP1 or SP2, we encourage you download our free tool to stop the Windows Shortcut Exploit.
Sophos Security Chet-Chat Episode 19:
The Windows Shortcut Exploit/CPLINK - What is it, what are the risks?
13:21 minutes - Download (12.2 MB)
How do I protect against this?
As of August 2, 2010, Microsoft has published an out of band patch for this vulnerability—you should download and install it immediately. Note: If you have the Sophos Windows Shortcut Exploit Protection Tool on your machine, uninstall it before deploying Microsoft's patch.
If you are using a version of Windows XP that Microsoft no longer supports, such as SP1 or SP2, download our free Windows Shortcut Exploit Protection Tool to stay protected.