Shortcut exploit: protect against it with this free tool

Shortcut exploit splat
Sophos engineers have been busy developing and testing a free tool that protects users from malware exploiting the critical zero-day vulnerability known as the “Shortcut exploit”.

We have begun to see more hackers taking advantage of the exploit, spreading malware which takes advantage of Microsoft’s unpatched vulnerability.

Sophos has been doing a good job of protecting its customers against this problem (we detect exploited files as Exp/Cplink). But what if you’re not a Sophos user and are worried about the attacks?

We can now present, the Sophos Windows Shortcut Exploit Protection Tool. Watch the following video to see it in action:

Sign up to our free newsletter.
Security news, advice, and tips.
[youtube=http://www.youtube.com/watch?v=Gucn5xWZ1m8&hl=en_US&fs=1]

Here are the details in a nutshell:

1. It intercepts LNK shortcut files that contain the exploit, telling you which executable code it was attempting to run. That means it will stop malicious threats which use this vulnerability if they are on non-local disks, such as a USB stick for instance.

2. You can run the tool alongside your existing anti-virus product. No need to throw the baby out with the bathwater. The tool supports Windows XP, Vista and Windows 7. It doesn’t support Windows 2000.

3. Unlike Microsoft’s workaround, it doesn’t blank out all the shortcuts on your Windows Start Menu – meaning your life (and that of your users) will be easier.

4. It’s free to download.

Want to know more? Here’s the nerdy explanation:

The vulnerability, known as the shortcut exploit, is in the way that Microsoft Windows handles .LNK shortcut files. If Windows tries to display the icon of an exploited shortcut file it can run the malicious code pointed to by the shortcut, without any user interaction.

One of the ways we have seen this problem exploited is via malware infections on USB sticks – capable of running viral code even if AutoPlay and AutoRun are disabled.

The free Sophos tool installs a new icon handler for Windows shortcuts. Whenever Windows tries to display an icon corresponding to a Windows shortcut, the new icon handler will intercept this request and validate the shortcut. If the shortcut does not contain the exploit, control will be given back to Windows.

But, if the shortcut does contain an exploit, a message is displayed to the user and extraction of the dangerous icon is blocked.

A Windows shortcut is deemed to contain the exploit if it is a Control Panel shortcut, and it points to an existing file that can be opened for execution, and neither the shortcut nor the shortcut’s target are on the computer’s local disk.

What’s really nice is that it doesn’t matter what anti-virus software you’re using – you can still install this free tool from Sophos, and it will work alongside your existing anti-virus.

And the Sophos Windows Shortcut Exploit Protection Tool (maybe we should have come up with a shorter name?) is a piece of cake to install. The tool can be installed and uninstalled easily and quickly. Administrators can run the installer package on the computer, and network administrators can push the installer package via Group Policies.

Hopefully soon Microsoft will release a proper patch to protect against the shortcut vulnerability, and then you can simply uninstall our tool. But in the meantime, this is neat. Very neat.

Go and get it now.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.