bit-tech.net

Critical Windows flaw uncovered

Critical Windows flaw uncovered

A newly-uncovered flaw in the way Windows handles .lnk files offers crackers a way in - bypassing UAC.

Microsoft issued an unexpected security bulletin late last week for a critical flaw in the Windows shell that can lead to exploitation when removable media is inserted into a PC - and despite acknowledging that the vulnerability is being attacked, isn't planning an out-of-cycle patch.

The flaw is described over on Neowin as affecting the way that the Windows shell handles .lnk files - used to signify a shortcut to another file. If a removable storage device is connected to a system with AutoRun or AutoPlay enabled - or if the device is opened manually in Windows Explorer - the flaw is triggered and code is executed.

The vulnerability is particularly concerning, as it affects all current versions of Windows - including Windows 7 - and bypasses protections such as UAC designed to prevent exactly this kind of attack. Worse still, the vulnerability can potentially be exploited over WebDAV or network shares - with no physical access to the machine required.

Despite this, Microsoft's security bulletin regarding the issue is silent on when a fix is to be expected - despite the company acknowledging that the flaw is being actively exploited in what it claims are "limited, targeted attacks." Without an out-of-cycle patch for the flaw, the earliest the issue could be resolved is on Tuesday the 10th of August - the company's next Patch Tuesday.

So far, the only work-around offered by Microsoft for the issue is to disable icons for shortcuts - which makes everything a whole lot uglier, but should protect your system from attack.

Do you believe that this flaw is serious enough to warrant an out-of-cycle patch, or is the likelihood of you browsing to an affected share or using a malicious storage device so slim you're willing to wait for an in-cycle fix? Share your thoughts over in the forums.

20 Comments

Discuss in the forums Reply
proxess 19th July 2010, 11:19 Quote
Ouch. Tho it doesn't seem that bad on Windows 7, autorun is off by default. What about XP and Vista? Is it the same on these? I bet Windows ME is safe on this one.
leexgx 19th July 2010, 11:45 Quote
not an auto run bug, short cut bug (read the last part)
perplekks45 19th July 2010, 13:09 Quote
Not a severe bug, just don't use .lnk files...
Still they should patch that as quickly as possible, Joe Average ain't the sharpest tool in the box.
Jack_Pepsi 19th July 2010, 14:02 Quote
It doesn't matter at all for the average user, it's already too late for them and their ignorance. They'll continue to use Limewire blissfully unaware. The majority believe that the scare-ware AV software that's doing the rounds is actually their AV.

Tell them that shortcut icons can be exploited and they'll go around deleting everything.
DarkLord7854 19th July 2010, 15:44 Quote
Quote:
Originally Posted by Jack_Pepsi
Tell them that shortcut icons can be exploited and they'll go around deleting everything.

I have to admit that the thought of telling someone that and seeing them do that would be highly entertaining and thoroughly amusing :)
Jack_Pepsi 19th July 2010, 15:50 Quote
That it would.

:D
HourBeforeDawn 19th July 2010, 18:08 Quote
Im confused I thought they released an Update a while back that stopped Auto Run from starting to stop or slowdown that one cornflickerwhatever virus? I know when I plug in removable media nothing happens until I go and actually open it.
Jim 19th July 2010, 20:17 Quote
Quote:
Originally Posted by Jack_Pepsi
Tell them that shortcut icons can be exploited and they'll go around deleting everything.

I can't delete Recycle Bin! Help!

;)
Grimloon 19th July 2010, 21:01 Quote
Quote:
Originally Posted by perplekks45
Not a severe bug, just don't use .lnk files...
Still they should patch that as quickly as possible, Joe Average ain't the sharpest tool in the box.

Congratulations! You just won the understatement of the year award! :D

A fix would be very nice (right now, please?) as one of our users almost had a call logged today as "Too blonde to use scanner - clue-by-4 required" (I get in trouble for that sort of thing, it's considered unprofessional) and I shudder to think what can be done by the blind clicking on the "Yes" button can cause if this flaw goes unpatched.

Much as I detest patch Tuesday it serves a purpose and this bunny should be right up there on the list as "Critical".
thehippoz 19th July 2010, 22:26 Quote
ah yeah autorun.inf trojaning.. I used to silk rope trojan onto the setup (granted this was a long time ago when autorun was on by default).. it was a guaranteed thing as soon as they put in the disk

my messenger would pop and the ip would be in the irc channel.. oh those were the days- I dunno if you guys remember the oob nuke on windows 95.. you nuke whole groups of people on the internet by hitting blocks of ip's randomly and make their rigs bsod xD

the av software has gotten pretty good.. your more prone to phishing someone's info than getting a trojan installed successfully.. human error will always be the biggest factor

anyone running the uac full up and tests the software they install in a vm beforehand- they'll have no problems for the most part

I'd like to see that in the next version of windows.. a feature like in acronis true image home- where your able to install something and 'revert' back instead of relying on backups.. the restore does an ok job but a lot of times they just erase the restore points

I do think many of the trojans written today are by the av companies.. they gotta keep the wheel greased- they also aren't fond of the uac.. but microsoft default on the uac in windows 7 is pretty shitty- you have to turn it up to get any real use out of it.. it should be on or off
MrZephyr 19th July 2010, 22:49 Quote
Check out the US-CERT website, they say there is a workaround available:

http://www.us-cert.gov/current/index.html#microsoft_windows_lnk_vulnerability

Microsoft Windows LNK Vulnerability
added July 16, 2010 at 10:08 am | updated July 19, 2010 at 09:02 am

US-CERT is aware of a vulnerability affecting Microsoft Windows. This vulnerability is due to the failure of Microsoft Windows to properly obtain icons for LNK files. Microsoft uses LNK files, commonly referred to as "shortcuts," as references to files or applications.

By convincing a user to display a specially-crafted LNK file, an attacker may be able to execute arbitrary code that would give the attacker the privileges of the user. Viewing the location of an LNK file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive is connected, thus opening the location of the LNK and triggering the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well. Depending on the operating system and AutoRun/AutoPlay configuration, exploitation can occur without any interaction from the user.

Microsoft has released Microsoft Security Advisory 2286198 in response to this issue. Users are encouraged to review the advisory and consider implementing the workarounds listed to reduce the threat of known attack vectors. Please note that implementing these workarounds may affect functionality. The workarounds include

* disabling the display of icons for shortcuts
* disabling the WebClient service

In addition to implementing the workarounds listed in Microsoft Security Advisory 2286198, US-CERT encourages users and administrators to consider implementing the following best practice security measures to help further reduce the risks of this and other vulnerabilities:

* Disable AutoRun as described in Microsoft Support article 967715.
* Implement the principle of least privilege as defined in the Microsoft TechNet Library.
* Maintain up-to-date antivirus software.

Additional information can be found in the US-CERT Vulnerability Note VU#940193.

US-CERT will provide additional information as it becomes available.
Altron 19th July 2010, 22:58 Quote
Quote:
Originally Posted by snootyjim
Quote:
Originally Posted by Jack_Pepsi
Tell them that shortcut icons can be exploited and they'll go around deleting everything.

I can't delete Recycle Bin! Help!

;)

Would deleting the recycle bin be the same as dividing by zero?
Grimloon 20th July 2010, 00:19 Quote
Quote:
Originally Posted by Altron
Would deleting the recycle bin be the same as dividing by zero?

I wish! The implosion in the space time continuum caused should be localised and therefore only eliminate the specific perpetrator rather than the whole universe. We can, at least, hope that this would be the case.
Quote:
Originally Posted by MrZephyr
*snip*

Full credit for the rational approach. We're talking about end users here - "To click or not to click, that is the question. Whether 'tis nobler..." (I sincerely apologise for seriously mauling that quote but I hope that you get the picture I'm seeing at the moment). The rational, secure approach is for the geeks/network techs. For everyone else it's simply a case of "What happens if I click on this?" and some bugger else has to clean up the mess.
DarkLord7854 20th July 2010, 01:35 Quote
Quote:
Originally Posted by Altron
Would deleting the recycle bin be the same as dividing by zero?

If I recall actually, a lot of people had problems with deleting their recycle bin and then couldn't get it back :)
807 20th July 2010, 01:59 Quote
Quote:
Originally Posted by Altron
Would deleting the recycle bin be the same as dividing by zero?

- err yes ! - unless you SHIFT DELETE - then it's like multiplying by zero !
thehippoz 20th July 2010, 02:31 Quote
Quote:
Originally Posted by MrZephyr
Check out the US-CERT website, they say there is a workaround available:

http://www.us-cert.gov/current/index.html#microsoft_windows_lnk_vulnerability

Microsoft Windows LNK Vulnerability
added July 16, 2010 at 10:08 am | updated July 19, 2010 at 09:02 am

US-CERT is aware of a vulnerability affecting Microsoft Windows. This vulnerability is due to the failure of Microsoft Windows to properly obtain icons for LNK files. Microsoft uses LNK files, commonly referred to as "shortcuts," as references to files or applications.

By convincing a user to display a specially-crafted LNK file, an attacker may be able to execute arbitrary code that would give the attacker the privileges of the user. Viewing the location of an LNK file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive is connected, thus opening the location of the LNK and triggering the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well. Depending on the operating system and AutoRun/AutoPlay configuration, exploitation can occur without any interaction from the user.

Microsoft has released Microsoft Security Advisory 2286198 in response to this issue. Users are encouraged to review the advisory and consider implementing the workarounds listed to reduce the threat of known attack vectors. Please note that implementing these workarounds may affect functionality. The workarounds include

* disabling the display of icons for shortcuts
* disabling the WebClient service

In addition to implementing the workarounds listed in Microsoft Security Advisory 2286198, US-CERT encourages users and administrators to consider implementing the following best practice security measures to help further reduce the risks of this and other vulnerabilities:

* Disable AutoRun as described in Microsoft Support article 967715.
* Implement the principle of least privilege as defined in the Microsoft TechNet Library.
* Maintain up-to-date antivirus software.

Additional information can be found in the US-CERT Vulnerability Note VU#940193.

US-CERT will provide additional information as it becomes available.

wow that's pretty bad.. you just have to view the lnk in the explorer to execute the code.. so it's to do with executing the code through an overflow when it goes to load the icon

man that's sick.. you can't even view a file without getting it up the yahoo :D something like this would have been caught on open source a long time ago
Altron 20th July 2010, 04:00 Quote
Quote:
Originally Posted by 807
- err yes ! - unless you SHIFT DELETE - then it's like multiplying by zero !

Whoa. Dude. It's like there is a recycle bin in the recycle bin. Like, the circle of life, bro. Far out, man. It's like a double rainbow.
proxess 20th July 2010, 10:52 Quote
Quote:
Originally Posted by leexgx
not an auto run bug, short cut bug (read the last part)

I did read it all, assuming you know what shortcuts you have on your desktop...
leexgx 20th July 2010, 15:27 Quote
but the point is just viewing the shortcut (not clicking on it just the file in the list) seems to be able to trigger the issue got to be the Worst type of bug i have ever seen (ok msblaster was the best one :P for users who lacked an router or just not enable the windows firewall as that can stop it as well)
CopperCAT 20th July 2010, 20:39 Quote
Quote:
Originally Posted by DarkLord7854
If I recall actually, a lot of people had problems with deleting their recycle bin and then couldn't get it back :)

In windows 95, you could install applications in the recycle bin... And never be able to remove them anymore.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums