Trend Micro uncovered an eight-year-long spying campaign exploiting a Windows vulnerability involving malicious .LNK shortcut files, which attackers padded with whitespace to conceal commands. Despite being reported to Microsoft in 2023, the company considers it a UI issue rather than a security risk and has not prioritized a fix. The Register reports:
The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads. Ordinarily, the shortcut’s target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend’s Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.
Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher. “This is one of many bugs that the attackers are using, but this is one that is not patched and that’s why we reported it as a zero day,” Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register. “We told Microsoft but they consider it a UI issue, not a security issue. So it doesn’t meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines.”
After poring over malicious .LNK samples, the security shop said it found the vast majority of these files were from state-sponsored attackers (around 70 percent), used for espionage or information theft, with another 20 percent going after financial gain. Among the state-sponsored crews, 46 percent of attacks came from North Korea, while Russia, Iran, and China each accounted for around 18 percent of the activity.
I don’t disagree with the premise. But I think the term also serves to demonstrate the severity of the risk when it has gone unpatched. The whole definition is valid, not just the bits and pieces because terms like this evolve over time. We still call disk partitions disks, even though that’s not really accurate anymore. An NVME drive with a C, D and E partition isn’t the same as having separate disk drives was back in the 90’s.
I guess I’m old school. For me, “zeros day” was always about the time the developer had before the exploit was in the wild. In the old days of physical media, there’d usually be a window between an exploit found on pre-release software that had already been shipped, and the dev could get a fix ready in that time (day 1 patch, like in video games). But if it was found on released software, they’d have zero days to patch it before people are impacted.
The severity has always been a different thing entirely, which is based on:
A zero day could be any of those.
I don’t? But then again, I’m a Linux guy, so lettered “partitions” aren’t a thing for me, there are drives (physical), partitions, and mount points (where on the FS does that data live). I haven’t used Windows in a significant way for over a decade.