Windows Mount Manager Bug

Microsoft recently patched a vulnerability in Windows Mount Manager, a driver in mountmgr.sys that assigns drive letters for dynamic and basic disk volumes. The flaw is being exploited in targeted attacks and patching this vulnerability is supposed to be prioritized. However, it requires local access to a machine to exploit.

Windows Mount Manager Bug

According to experts, this vulnerability can allow an attacker to run malicious code on a system if they can gain access to a USB port. Since this attack does require physical access to a system, its impact is limited to specific environments and circumstances.

Similar To Stuxnet.

Windows Mount Manager Bug works similar to the notorious Stuxnet, which can be called as world's first digital weapon. Stuxnet is a Dreaded malware infected over USB drives, malicious .wrecking havoc in industrial PLC & SCADA systems, especially the uranium plants of Iran. It too exploited a flaw in the Windows Shell that allowed local users and remote attackers to execute the malicious.LNK shortcut file. The vulnerability occurs because of the .LNK files are not properly handled during icon display in Windows Explorer and in Siemens WinCC SCADA systems. The malware executes by merely visiting a directory hosting the .LNK file. Stuxnet-infected machines spread the malware to USBs and other peripherals connected to the computer in the hopes of spreading the attack to air-gapped machines.

Fanny Worm too leverages Malicious.LNK shortcut file.

The .LNK vulnerability was also exploited by the Equation Group, uncovered by researchers at Kaspersky Lab, via the Fanny worm. Fanny exploits two zero days also used by Stuxnet and also spread over USB sticks to air-gapped computers.

Microsoft Issues Patches

In March, Microsoft patched the.LNK-related vulnerability again after German researcher Michael Heerklotz discovered that the original patch from August 2010 was incomplete. Heerklotz reported the bug to HP’s Zero Day Initiative, which said that Windows users had been exposed all along. Heerklotz said he found a way to bypass Microsoft’s patch by attacking other parts of the .LNK code that was not checked by the original patch.
The Mount Manager vulnerability patched is not remotely exploitable. It does allow for elevation of privilege and affects supported Windows systems, including Windows 10. Microsoft announced that in addition to the patch it was also making an event log available that detects attacks against this vulnerability.

Birth of Next Stuxnet?

Windows Mount Manager Bug has similar working patterns of Stuxnet. Taking all these aspects into account this obviously paves the way for the development of a similar or more sophisticated malware. It is also possible that another malware based on this zero-day vulnerability is already in released and leveraged in the wild. Hacking Team and their recent data breach is the best instance.

What do you think? Share your thoughts via comments.

Also Read

Post a Comment