Critical Windows flaw uncovered
A newly-uncovered flaw in the way Windows handles .lnk files offers crackers a way in - bypassing UAC.
The flaw is described over on Neowin as affecting the way that the Windows shell handles .lnk files - used to signify a shortcut to another file. If a removable storage device is connected to a system with AutoRun or AutoPlay enabled - or if the device is opened manually in Windows Explorer - the flaw is triggered and code is executed.
The vulnerability is particularly concerning, as it affects all current versions of Windows - including Windows 7 - and bypasses protections such as UAC designed to prevent exactly this kind of attack. Worse still, the vulnerability can potentially be exploited over WebDAV or network shares - with no physical access to the machine required.
Despite this, Microsoft's security bulletin regarding the issue is silent on when a fix is to be expected - despite the company acknowledging that the flaw is being actively exploited in what it claims are "limited, targeted attacks." Without an out-of-cycle patch for the flaw, the earliest the issue could be resolved is on Tuesday the 10th of August - the company's next Patch Tuesday.
So far, the only work-around offered by Microsoft for the issue is to disable icons for shortcuts - which makes everything a whole lot uglier, but should protect your system from attack.
Do you believe that this flaw is serious enough to warrant an out-of-cycle patch, or is the likelihood of you browsing to an affected share or using a malicious storage device so slim you're willing to wait for an in-cycle fix? Share your thoughts over in the forums.
Previous Article
20 Comments
Discuss in the forums ReplyStill they should patch that as quickly as possible, Joe Average ain't the sharpest tool in the box.
Tell them that shortcut icons can be exploited and they'll go around deleting everything.
I have to admit that the thought of telling someone that and seeing them do that would be highly entertaining and thoroughly amusing :)
:D
I can't delete Recycle Bin! Help!
;)
Congratulations! You just won the understatement of the year award! :D
A fix would be very nice (right now, please?) as one of our users almost had a call logged today as "Too blonde to use scanner - clue-by-4 required" (I get in trouble for that sort of thing, it's considered unprofessional) and I shudder to think what can be done by the blind clicking on the "Yes" button can cause if this flaw goes unpatched.
Much as I detest patch Tuesday it serves a purpose and this bunny should be right up there on the list as "Critical".
my messenger would pop and the ip would be in the irc channel.. oh those were the days- I dunno if you guys remember the oob nuke on windows 95.. you nuke whole groups of people on the internet by hitting blocks of ip's randomly and make their rigs bsod xD
the av software has gotten pretty good.. your more prone to phishing someone's info than getting a trojan installed successfully.. human error will always be the biggest factor
anyone running the uac full up and tests the software they install in a vm beforehand- they'll have no problems for the most part
I'd like to see that in the next version of windows.. a feature like in acronis true image home- where your able to install something and 'revert' back instead of relying on backups.. the restore does an ok job but a lot of times they just erase the restore points
I do think many of the trojans written today are by the av companies.. they gotta keep the wheel greased- they also aren't fond of the uac.. but microsoft default on the uac in windows 7 is pretty shitty- you have to turn it up to get any real use out of it.. it should be on or off
http://www.us-cert.gov/current/index.html#microsoft_windows_lnk_vulnerability
Microsoft Windows LNK Vulnerability
added July 16, 2010 at 10:08 am | updated July 19, 2010 at 09:02 am
US-CERT is aware of a vulnerability affecting Microsoft Windows. This vulnerability is due to the failure of Microsoft Windows to properly obtain icons for LNK files. Microsoft uses LNK files, commonly referred to as "shortcuts," as references to files or applications.
By convincing a user to display a specially-crafted LNK file, an attacker may be able to execute arbitrary code that would give the attacker the privileges of the user. Viewing the location of an LNK file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive is connected, thus opening the location of the LNK and triggering the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well. Depending on the operating system and AutoRun/AutoPlay configuration, exploitation can occur without any interaction from the user.
Microsoft has released Microsoft Security Advisory 2286198 in response to this issue. Users are encouraged to review the advisory and consider implementing the workarounds listed to reduce the threat of known attack vectors. Please note that implementing these workarounds may affect functionality. The workarounds include
* disabling the display of icons for shortcuts
* disabling the WebClient service
In addition to implementing the workarounds listed in Microsoft Security Advisory 2286198, US-CERT encourages users and administrators to consider implementing the following best practice security measures to help further reduce the risks of this and other vulnerabilities:
* Disable AutoRun as described in Microsoft Support article 967715.
* Implement the principle of least privilege as defined in the Microsoft TechNet Library.
* Maintain up-to-date antivirus software.
Additional information can be found in the US-CERT Vulnerability Note VU#940193.
US-CERT will provide additional information as it becomes available.
Would deleting the recycle bin be the same as dividing by zero?
I wish! The implosion in the space time continuum caused should be localised and therefore only eliminate the specific perpetrator rather than the whole universe. We can, at least, hope that this would be the case.
Full credit for the rational approach. We're talking about end users here - "To click or not to click, that is the question. Whether 'tis nobler..." (I sincerely apologise for seriously mauling that quote but I hope that you get the picture I'm seeing at the moment). The rational, secure approach is for the geeks/network techs. For everyone else it's simply a case of "What happens if I click on this?" and some bugger else has to clean up the mess.
If I recall actually, a lot of people had problems with deleting their recycle bin and then couldn't get it back :)
- err yes ! - unless you SHIFT DELETE - then it's like multiplying by zero !
wow that's pretty bad.. you just have to view the lnk in the explorer to execute the code.. so it's to do with executing the code through an overflow when it goes to load the icon
man that's sick.. you can't even view a file without getting it up the yahoo :D something like this would have been caught on open source a long time ago
Whoa. Dude. It's like there is a recycle bin in the recycle bin. Like, the circle of life, bro. Far out, man. It's like a double rainbow.
I did read it all, assuming you know what shortcuts you have on your desktop...
In windows 95, you could install applications in the recycle bin... And never be able to remove them anymore.