Security vendor F-Secure has criticised the wording used in a Microsoft security advisory relating to a shortcut vulnerability in Windows.
F-Security posted a blog update which drew attention to the "proof of concept" code for an unpatched Windows shortcut vulnerability. The vulnerability means that shortcuts (.lnk files) can contain malicious code which cab be used to create viruses spread via USB drives for example.
The exploit means that just inserting USB stick and browsing the contents of a drive can execute the code, no clicking is required. Microsoft’s security advisory had said: "For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled."
F-Secure took issue with the wording in this advisory because Windows 7 does indeed have AutoPlay enabled by default. This results in a dialog offering choices when a drive is inserted, clicking on browse contents would enable the attack. It seems likely Microsoft confused AutoPlay and AutoRun as F-Secure point out.
"Ordinarily we wouldn’t pick these small nits with Microsoft but we think this is particularly important as it’s the advisory that provides official information for those assessing risk to their organizations," said F-Secure.