Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
Microsoft is doing a commendable job when it comes to Windows security. Keeping billions of devices secure is no small feat. Sometimes, however, it appears that someone at Microsoft is pushing the breaks regarding specific vulnerabilities.
Take the following attack method as an example. It is a vulnerability in .lnk shortcuts that is exploited to trigger malware downloads. It was discovered by Trend Micro in 2024 and reported to Microsoft in September 2024.
Security engineers at Trend Micro say that the issue has been exploited since at least 2017 and that it has found almost a 1,000 of these links in the wild already.
These links contain megabytes of whitespace characters according to Trend Micro to fool antivirus and other security solutions. Attacks come from four countries only -- North Korea, China, Russia, and Iran -- according to the researchers. Trend Micro revealed that the vast majority of attacks come from state-sponsored attack crews and fall in the information theft and espionage category. Government were targeted the most, followed by the private and financial sector, think tanks, and telecommunications.
The attackers download and install different malware payloads on successfully exploited systems. Among them notorious payloads and loaders such as Lumma Stealer or GuLoader.
Microsoft has not acted on the provided information. Trend Micro says that it decided to go public with the information because of Microsoft's inactivity. The threat "poses a significant risk "to the confidentiality, integrity, and availability of data maintained by governments, critical infrastructure, and private organizations globally" according to the researchers.
Microsoft classified the issue as low severity according to Trend Micro, indicating that the issue may not be patched in the "immediate future".
In a comment to The Register, a Microsoft spokesperson encouraged customers to "exercise caution when downloading files from unknown sources".
Shortcut files can be analyzed on local Windows systems. The problem with the disclosed vulnerability is that the link files are specifically crafted. This means that the user won't see the exploit when analyzing the link shortcut according to Trend Micro.
Some security solutions may recognize these malicious shortcuts already, others may do so in the near future.
Now You: what is your take on this? Should Microsoft develop a fix and release it? Feel free to leave a comment down below.
Very well, Trend Micro!
About ‘Tromp’, I would like to know what Ronald Reagan would say about his relation with ‘Tupin’…
Very well, Trend Micro!
About ‘Tr0mp’, I would like to know what Ronald Reagan would say about him…
Anyone with even a kindergarten level of understanding about encryption, C&C’s will know they can cover their tracks very easily, and any clam about ‘North Korea, China, Russia, and Iran’, is a sensationalist ploy just to grab headlines, esp when it comes to state threat actors. Probably a deal with the NSA, the US government, and Israel, who is likely doing the bulk of exploitation on their own citizens, and around the globe.
Typically anyway, and I suspect the scapegoating of the axis of the civilized nations it is also often done as a racket to garner U.S government grants and funding
well, ‘lost in translation’, you’re free to believe that, but it adds nothing to tell us so.
The main point of my previous comment, apart from reminding about some previous issues, is that they have a history of having a gaping holes and the equivalent of “drive by” exploits. And leaving them in for extended time (until big bad PR or being quietly told to revoke them). Essentially that this reeks of ‘on purpose, because vector in use by TLAs’.
So the first order of the day is to downplay and dismiss, so it does not catch the wind it deserves that will pressure them to close it to keep up appearances.
“ui issue” my ass… which itself certainly has UX issues, with the farts and poop it emits. A unpleasant and smelly device.
But I get your point in part. There is usually an unusual amount of distracting nutjob posts when things like this get publicity. And they are there for that exact purpose. Distracting, triggering so hard that people take the bait instead and forget about the original issue.
You should see what Schneiers blog was like before he resorted to put a moderation team on the comments. Heaps of nutjob post to make your head pop from the crazy and unhinged. Again, probably intended, to distract and drive away readers. And bring the site and author in disrepute by association, because if you google that and see those, you’d quite likely decline to spend any time there at all and not buy any of his books.
That’s just the ugly way things are when you write about it-security or sigint issues that are “touchy”. Not even “sensitive” or ‘need to know only’. Really big interest want to keep people in the dark about that for heaps of reasons, goverments and businesses alike.
I do believe that all these comments are AI generated by the way.
When you hear a “won’t fix” answer like that from MS, you should read that as meaning that they have people telling them to leave it in because they want to keep using it.
They have a very considerable history, some would say tradition, of leaving “oddly” broken things in that are eminently exploitable.
Abusable ‘LNK’ is just another of those.
Malformed/rigged embedded icons in exefiles (that file explorer handily wants to dig out to be helpful)
Autorun
The old metafile exploit from as far back as the 95/98 days, that was also automatic CE-exploit without any user interaction when inserting a medium like a 3.5″ floppy.
That just the free sample of what I can recall without resorting to saved articles.
And entirely too much to even begin to get into with ms-ie.
My Windows 7 PC is on the network and running 24/7, and I’m still waiting for the Boogieman to exploit it.
Not 24/7 here, but still many hours daily… Nothing happened, despite the fact i’m not even using AV Software.
Any fix or any workaround can be applied to mitigate this issue?
For subscribers, perhaps 0Patch will have neutralized the issue.
If it’s Russian, steer it towards the US. Trump has apparently ordered their security apparatus to ignore Russian threats as being no longer credible: https://www.theguardian.com/us-news/2025/feb/28/trump-russia-hacking-cyber-security
But maybe Trump is a Russian agent and is just following Putin’s orders: https://www.politico.eu/article/donald-trump-russia-the-hidden-history-of-trumps-first-trip-to-moscow/
^^^
FoxNews watchers recount is over.
There must be a full moon
OMG, the TDS virus is infecting everything.
Don’t you have Reddit to spew your crazy conspiracy theories?
Nobody cares
Really, Politico as information source? One of the most unhinged disinformation sources on the level with AlterNet, Al-Jazeera and MarySue.
OMG! We need to rename/redefine TDS as
“truth derangement syndrome”.
Really, you must, at this point, only trust Alex Jones!
I know you consider Fox News to be suspect when not sufficiently aligned to MAGA propaganda.
@Andy
Please tell me what Trump has to do with this article. The answer is NOTHING. Yet you and that TelV guy somehow think it’s pertinent to bring Trump to the conversation, with some far fetched connection that nobody cares about except for you CNN watching zombies.
People with TDS can’t see they have TDS. It really is a derangement syndrome.
I’m not even American, but you people with TDS stick out like a sore thumb. Very strange behavior from people with think they are the “educated” bunch.
So bizare.
@Andy
TDS means exactly what it’s always meant: Seeing Trump everyone and having an irrational need to broadcast to the world how much you hate him.
By your post with as many buzz phrases as possible, I can tell you’re one of them.
Wrong. I never watched Alex Jones. He is a provocateur. I do not expect any substance from him. I also have not watched news from Fox News or CNN or MSNBC probably in 5 years. Maybe some clips from Gutfield monologues if they are funny. Only thing I am interested in cable networks recently is ratings, which host gets fired or just something real stupid that some of the hosts/panelists say.
I am not MAGA, and I voted last minute after seeing cringe “Avengers for Harris” and “White dudes for Harris” ads. I knew at that moment that regardless how much I hated both candidates, I had to vote for lesser evil regardless how much stink will be on me.
I find most of the websites on the left and the right extremely misinformative. The problem with the left news websites is that they pretend that they are telling the absolute truth. Websites on the right, you can feel that they are mostly opinions and they are not hiding it. That why I give them more of a pass.
Don’t forget Reuters, corrupt and spewing lies left and right.
“Now You: what is your take on this? Should Microsoft develop a fix and release it? Feel free to leave a comment down below.”
Really?
Windows is just a legacy mess and it seems Microsoft treats it as a legacy product. Something they still need but are mostly concerned about pushing their AI and cloud services through. A necessary evil so to speak. Every month we see a laundry list of fixes and patches for security risks. Windows is like a rickety old damn that develops cracks and leaks monthly.
Maybe MS should ask CoPilot to help them come up with a solution?
CoPilot Pro?
You’re right. Full of holes to exploit, the Windows operating system is a security risk in itself.
Yet it’s not… most things can be exploited if enough time, manpower is expended. Windows systems aren’t randomly getting wrecked unless you’re a high value target, in which case the operating system is just one of many attack vectors, if they wouldn’t use the OS, they’d get you some other way.
Boots on the ground, day to day use, Windows devices are never getting compromised unless it’s user error. I work at an MSP that supports 80+ companies. You still have all the security measures in place, of course – but this is just anti-windows yapping – sad to say you guys don’t know a thing.
I’ve often heard “I didn’t download anything!”.
People don’t realize that everything they see on the screen in a web browser is something they just “downloaded”.
All it takes is landing on the wrong webpage these days.
“All it takes is landing on the wrong webpage these days.” not true. Send me such a link… ruin my life… go for it, I give you permission. You’ll never find one because they just aren’t a thing.
Not if you are using ad blocker on sketchy websites and block Google Ads. And using common sense too. I am not using any real time Antivirus software for few months and have not updated Windows in a year. I feel perfectly safe as long as I use backups just in case.
While true, you still have to physically click/open on a link to activate/download the payload. Otherwise, it just eternally sits there waiting, like a venus flytrap.
That why you clean Browser cache from time to time and clean temporary files regularly.