Trend Micro uncovered an eight-year-long spying campaign exploiting a Windows vulnerability involving malicious .LNK shortcut files, which attackers padded with whitespace to conceal commands. Despite being reported to Microsoft in 2023, the company considers it a UI issue rather than a security risk and has not prioritized a fix. The Register reports:
The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads. Ordinarily, the shortcut’s target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend’s Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.
Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher. “This is one of many bugs that the attackers are using, but this is one that is not patched and that’s why we reported it as a zero day,” Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register. “We told Microsoft but they consider it a UI issue, not a security issue. So it doesn’t meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines.”
After poring over malicious .LNK samples, the security shop said it found the vast majority of these files were from state-sponsored attackers (around 70 percent), used for espionage or information theft, with another 20 percent going after financial gain. Among the state-sponsored crews, 46 percent of attacks came from North Korea, while Russia, Iran, and China each accounted for around 18 percent of the activity.
Correct me if I’m wrong but doesn’t zero day just mean there is no patch or mitigation available?
I think it’s more that it’s recently discovered. If they sit on it and don’t patch it, it’s not really a zero day anymore.
“Despite developers’ goal of delivering a product that works entirely as intended, virtually all software and hardware contain bugs.[7] If a bug creates a security risk, it is called a vulnerability. Vulnerabilities vary in their ability to be exploited by malicious actors. Some are not usable at all, while others can be used to disrupt the device with a denial of service attack. The most valuable allow the attacker to inject and run their own code, without the user being aware of it.[8] Although the term “zero-day” initially referred to the time since the vendor had become aware of the vulnerability, zero-day vulnerabilities can also be defined as the subset of vulnerabilities for which no patch or other fix is available.[9][10][11] A zero-day exploit is any exploit that takes advantage of such a vulnerability.[8]”
That’s the definition straight from Wikipedia.
Yes, this is the original definition that made sense. It doesn’t make sense to me that this definition apparently has been adjusted to include all unpatched vulnerabilities.
Yeah. I read the whole article. But terms evolve over time and the whole definition is valid. Because that’s how people and media are using it.
True. However, if a vulnerability is well known and nobody is bothering to patch it, I doubt most would call it a zero day. At that point it goes back to being an unpatched vulnerability.
So I’d call something a zero day between discovery and an official response from the vendor (either a patch or confirmation that it’s not getting patched). That’s how I use it, not sure about others.
I don’t disagree with the premise. But I think the term also serves to demonstrate the severity of the risk when it has gone unpatched. The whole definition is valid, not just the bits and pieces because terms like this evolve over time. We still call disk partitions disks, even though that’s not really accurate anymore. An NVME drive with a C, D and E partition isn’t the same as having separate disk drives was back in the 90’s.
I guess I’m old school. For me, “zeros day” was always about the time the developer had before the exploit was in the wild. In the old days of physical media, there’d usually be a window between an exploit found on pre-release software that had already been shipped, and the dev could get a fix ready in that time (day 1 patch, like in video games). But if it was found on released software, they’d have zero days to patch it before people are impacted.
The severity has always been a different thing entirely, which is based on:
A zero day could be any of those.
I don’t? But then again, I’m a Linux guy, so lettered “partitions” aren’t a thing for me, there are drives (physical), partitions, and mount points (where on the FS does that data live). I haven’t used Windows in a significant way for over a decade.