A file containing Microsoft LNK data was detected (LNK_File_Detected)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This event triggers when a Microsoft shortcut file is detected.

These types of files should not be seen traversing your network, with the possible exception of being detected via the SMB/CIFS protocol.

The nature of these files enables them to access resources which may be outside of your control, thus enabling a remote code execution attack on your systems.


False negatives

Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: This event will not trigger if a LNK file is detected via the SMB protocol.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network IPS: XPU 30.071, Proventia Desktop: 2545, RealSecure Network: XPU 30.071, RealSecure Server Sensor: XPU 30.071, Proventia Network MFS: XPU 30.071, Proventia-G 1.1 and earlier: XPU 30.071, Proventia Network IDS: XPU 30.071, IBM Security Server Protection for Windows: 2.1.14.2545, Virtual Server Protection for Vmware: XPU 30.071, Proventia Server IPS for Linux technology: 30.071

Systems affected

Microsoft Windows XP: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows 7: x64, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, Microsoft Windows Server 2008: R2 Itanium, Microsoft Windows Server 2008: SP2 Itanium

Type

Suspicious Activity

Vulnerability description

Microsoft LNK files typically should not be detected traversing the network. Such files may be specially constructed to allow an attack to gain control of your system, or execute remote code.

How to remove this vulnerability

Block traffic and investigate if necessary.

References

IBM Internet Security Systems Protection Alert
Microsoft Windows Shell Could Allow Remote Code Execution
http://www.iss.net/threats/373.html

ISS X-Force
A file containing Microsoft LNK data was detected
http://www.iss.net/security_center/static/60478.php