Trend Micro Reveals Microsoft Ignored Shortcut Vulnerability for Over 8 Years, Classifying it as a UI Issue Instead of a Security Flaw

Trend Micro researchers have reported that Microsoft has not addressed a vulnerability in shortcut settings for over eight years, since 2017. Microsoft considers this issue to be a user interface concern rather than a security flaw in the operating system, thus prioritizing it lower when reports are received regarding its rectification.

It has been discovered that attackers can exploit the properties of *.LNK files (Shell Link or MS-SHLLINK) by padding the Target field with thousands of spaces, allowing them to conceal malicious commands. Essentially, command-line arguments in the Target field of *.LNK files can lead to code execution on the victim’s machine. This approach may be low-tech, but it proves to be quite effective. Notably, the shortcuts used by the attackers point to legitimate files or executable programs, but they subtly incorporate additional instructions to extract or unpack and attempt to execute malicious code within the system.

Typically, the destination of a shortcut and its command-line arguments are clearly visible in Windows, which would typically allow for the easy identification of suspicious commands. However, when extra command-line arguments in the shortcuts are hidden behind countless spaces in the Target field, they become deeply concealed within the user interface.

“This is one of the many flaws in Windows that attackers exploit, and it remains unaddressed. This is why we reported it as a zero-day vulnerability, ZDI-CAN-25373. We informed Microsoft, but they view it as a user interface issue rather than a security concern. Therefore, it does not meet their criteria for being treated as a security update, although it might be resolved in a future operating system version or something similar,” stated Dustin Childs, head of the threat notification department at the Zero Day Initiative.

Previously, cybersecurity researcher Will Dormann criticized Microsoft’s Security Response Center (MSRC) for neglecting to consider his vulnerability report until a white hat hacker provided a detailed video along with a written explanation that included confirming screenshots. “I understand that kids nowadays can’t grasp anything that isn’t on TikTok. But MSRC does not accept a clearly articulated vulnerability report unless it comes with a corresponding video,” Dormann remarked.

MSRC responded to Dormann with the request for a clear proof-of-concept (POC) video demonstrating how the reported vulnerability is exploited. «Without this, we won’t be able to make any progress. It would be greatly appreciated.» Frustrated by Microsoft’s demands, which Dormann felt should only require showing a few commands, already depicted in his screenshots, and pressing Enter in CMD, the analyst created a fifteen-minute video filled with extraneous content. The video also features upbeat techno music, taking the reviewer approximately 14 minutes of inactivity (the clip is edited down below).