Security vendor F-Secure has criticised the wording used in a Microsoft security advisory relating to a shortcut vulnerability in Windows.
F-Security posted a blog update which drew attention to the "proof of concept" code for an unpatched Windows shortcut vulnerability. The vulnerability means that shortcuts (.lnk files) can contain malicious code which cab be used to create viruses spread via USB drives for example.
The exploit means that just inserting USB stick and browsing the contents of a drive can execute the code, no clicking is required. Microsoft's security advisory had said: "For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled."
F-Secure took issue with the wording in this advisory because Windows 7 does indeed have AutoPlay enabled by default. This results in a dialog offering choices when a drive is inserted, clicking on browse contents would enable the attack. It seems likely Microsoft confused AutoPlay and AutoRun as F-Secure point out.
"Ordinarily we wouldn't pick these small nits with Microsoft but we think this is particularly important as it's the advisory that provides official information for those assessing risk to their organizations," said F-Secure.
Advertisement
Related Stories
- The Pope loves Microsoft. Fact. May 25th 2012 at 4:13PM
- Windows 8 RT draws antitrust attention May 14th 2012 at 10:59PM
- Windows 8 Pro upgrade may cost $14.99 May 14th 2012 at 10:46PM
- Microsoft to charge for Windows 8 upgrades? May 13th 2012 at 11:01PM
- Mozilla, Google blast Windows RT browser restrictions May 11th 2012 at 3:47AM
- Microsoft demos sonar-based motion detection May 9th 2012 at 1:21AM
- iOS update fixes bugs and security flaws May 8th 2012 at 5:45AM
- Windows 8's Media Centre upgrade path May 4th 2012 at 3:48AM
- Microsoft fingers Chinese firm in RDP flaw leak May 4th 2012 at 3:00AM
