Microsoft Has No Immediate Plans To Fix Zero-Day Flaw, Exploited Since 2017

Microsoft has no plans to fix a flaw that has been exploited by hostile nation states for eight years.

A Microsoft Windows security flaw has been exploited by multiple nation state sponsored APT groups including those from China, Iran, North Korea, and Russia. The unpatched vulnerability has been utilized in campaigns of financially motivated cybercrime, data theft and espionage, according to Trend Micro.

Organizations across the government, financial, telecommunications, military, and energy sectors have been affected in geographies as widespread as North America, Europe, Asia, South America and Australia.

Trend said that that most victims they sampled were in North America, and of the 11 state-sponsored threat actors that Trend found abusing the flaw, nearly half of them originated in North Korea.

The zero-day vulnerability, tracked by Trend Micro's Zero Day Initiative (ZDI) as ZDI-CAN-25373 allows bad actors to execute hidden malicious commands on a victim's machine by leveraging crafted Windows Shortcut or Shell Link (.LNK) files.

"The attacks leverage hidden command line arguments within .LNK files to execute malicious payloads, complicating detection," security researchers Peter Girnus and Aliakbar Zahravi said to The Hacker News. "The exploitation of ZDI-CAN-25373 exposes organizations to significant risks of data theft and cyber espionage.”

Trend reported the vulnerability to Microsoft last September and said it had found nearly 1,000 tampered .LNK files in circulation. The security vendor thinks that the actual number of attacks is likely to have been higher. Trend chose to go public now because of Microsoft’s insistence that the flaw is a UI issue rather than a security risk.

A post publication comment to The Hacker News from a Microsoft spokesperson said that because it considers this to be a UI issue it therefore does not meet Microsoft’s bar for immediate patching. Microsoft said it would consider addressing the flaw in a future release. The spokesperson added:

“Microsoft Defender has detections in place to detect and block this threat activity, and the Smart App Control provides an extra layer of protection by blocking malicious files from the Internet. As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files.”

This article originally appeared on our sister site Computing.