Trend Micro uncovered an eight-year-long spying campaign exploiting a Windows vulnerability involving malicious .LNK shortcut files, which attackers padded with whitespace to conceal commands. Despite being reported to Microsoft in 2023, the company considers it a UI issue rather than a security risk and has not prioritized a fix. The Register reports:
The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads. Ordinarily, the shortcut's target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend's Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.
Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher. "This is one of many bugs that the attackers are using, but this is one that is not patched and that's why we reported it as a zero day," Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register. "We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines."
After poring over malicious .LNK samples, the security shop said it found the vast majority of these files were from state-sponsored attackers (around 70 percent), used for espionage or information theft, with another 20 percent going after financial gain. Among the state-sponsored crews, 46 percent of attacks came from North Korea, while Russia, Iran, and China each accounted for around 18 percent of the activity.
It somewhat annoys me that a eight year old bug is referred to as „zero day vulnerability“.
Correct me if I'm wrong but doesn't zero day just mean there is no patch or mitigation available?
I think it's more that it's recently discovered. If they sit on it and don't patch it, it's not really a zero day anymore.
"Despite developers' goal of delivering a product that works entirely as intended, virtually all software and hardware contain bugs.[7] If a bug creates a security risk, it is called a vulnerability. Vulnerabilities vary in their ability to be exploited by malicious actors. Some are not usable at all, while others can be used to disrupt the device with a denial of service attack. The most valuable allow the attacker to inject and run their own code, without the user being aware of it.[8] Although the term "zero-day" initially referred to the time since the vendor had become aware of the vulnerability, zero-day vulnerabilities can also be defined as the subset of vulnerabilities for which no patch or other fix is available.[9][10][11] A zero-day exploit is any exploit that takes advantage of such a vulnerability.[8]"
That's the definition straight from Wikipedia.
Yes, this is the original definition that made sense. It doesn’t make sense to me that this definition apparently has been adjusted to include all unpatched vulnerabilities.
True. However, if a vulnerability is well known and nobody is bothering to patch it, I doubt most would call it a zero day. At that point it goes back to being an unpatched vulnerability.
So I'd call something a zero day between discovery and an official response from the vendor (either a patch or confirmation that it's not getting patched). That's how I use it, not sure about others.