Security researcher Nafiez has publicly disclosed a previously unknown vulnerability affecting Windows LNK files (shortcuts) that can potentially allow attackers to execute code remotely without user interaction. As security researchers from Intezer note, “LNK files (aka Windows shortcuts) may seem simple, but threat actors can use them to execute other binaries and inflict great harm”. Researchers at Elastic Security Labs recently uncovered a technique called “LNK stomping” that has been used by threat actors for at least six years to bypass MOTW controls. “When user access[es] a folder that has the LNK file, the Explorer will parse any files stored in the folder… this is where the initialization of the file gets ready [to be] called/executed,” Nafiez explained in the technical analysis. According to their security servicing criteria, Microsoft addresses vulnerabilities only if they “violate the goal or intent of a security boundary or security feature” and meet their severity threshold for servicing. Despite releasing a working proof-of-concept (PoC), Microsoft has declined to patch the flaw, stating it “does not meet their security bar for servicing”. MOTW is a digital tag placed on downloaded files that could potentially be malicious, triggering security warnings before execution. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. By crafting malicious LNK files with manipulated EnvironmentVariableDataBlock and UNC paths, attackers can trigger silent network connections when a user simply opens a folder containing the malicious shortcut. Microsoft has previously addressed critical vulnerabilities in LNK files, including a remote code execution flaw in 2017 and another in 2010 that was actively exploited. Microsoft has justified their decision not to patch this vulnerability by arguing that their Mark of the Web (MOTW) security feature provides adequate protection. This vulnerability is particularly concerning because it doesn’t require the user to actually click on the shortcut-merely browsing a directory containing the malicious LNK file is sufficient to initiate the attack. “Once you compile the code, run the executable to generate LNK file and make sure to run Responder tool to capture NTLM Hash,” researcher Nafiez said. In the current software landscape, security breaches caused by untested or poorly tested code are both common and costly.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 30 Apr 2025 05:25:54 +0000