A file containing Microsoft LNK data was detected (HTTP_Lnk_File_Accessed)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This event triggers when an HTTP response contains a LNK file.

Under some circumstances, an attacker could use such a file to gain access to privileged information on the client system, or an attacker could use the *.LNK file to perform a remote code execution attack on the system receiving the file.

This event supersedes the HTTP_FileTypeLnk event.

Default risk level

 Medium

Sensors that have this signature

Proventia Network IPS: XPU 30.071, Proventia Desktop: 2545, RealSecure Network: XPU 30.071, RealSecure Server Sensor: XPU 30.071, Proventia Network MFS: XPU 30.071, Proventia-G 1.1 and earlier: XPU 30.071, Proventia Network IDS: XPU 30.071, IBM Security Server Protection for Windows: 2.1.14.2545, Virtual Server Protection for Vmware: XPU 30.071, Proventia Server IPS for Linux technology: 30.071

Systems affected

Microsoft Windows XP: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows 7: x64, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, Microsoft Windows Server 2008: R2 Itanium, Microsoft Windows Server 2008: SP2 Itanium

Type

Suspicious Activity

Vulnerability description

How to remove this vulnerability

References