The folks over at the Metasploit Framework have released a working exploit module that takes advantage of the much talked about vulnerability in the Windows Shell.
This module proves this vulnerability is not limited to being exploited via thumb drives or email attachments.
Microsoft has no patch available as of yet, however they offer some ugly workarounds: disable the display of .lnk and .pif files, block .lnk.pif files at your network’s perimeter, or disable WebDAV…
FYI: Disabling WebDAV wreaks havoc in some SharePoint instances.
The browser exploit module uses WebDAV to host a .lnk file and malicous dll. No click necessary! After the target browses to a malicous site, assuming WebDAV is enabled, up pops a window containing the two files and your msf payload is deployed. McAfee 8.7.0i was mum to the exploit, even tho a source at McAfee has stated, “Coverage for known exploits is provided in the current DAT set (6047) as Generic Dropper!dfg”. Perhaps thats why I got no alert: my payload wasn’t’ a trojan.
Regardless, this is a very good delivery method and while the attacks using this method in the wild are targeted, I wouldn’t be surprised if more malcode was to be spread via this vector.