begood Posted July 18, 2010 Report Posted July 18, 2010 We've received plenty of information over the past couple days about this alleged vulnerability in Windows's "lnk" file, and it's use against "SCADA" networks. Windows Shortcut Flaw underpins power plant Trojan ? The Register Experts Warn of New Windows Shortcut Flaw — Krebs on Security UPDATE: Two of our Handlers have copies of it now on their analyzation systems. Thank you, we will analyze it. UPDATE 2: We have been notified via our comments that Symantec has definitions for this malware as well now. -- Joel Esler | http://blog.joelesler.net | Joel Esler (JoelEsler) on Twitter UPDATE 3 (from Bojan): Microsoft posted the advisory about the vulnerability in Windows Shell that has been exploited in some targeted attacks (the advisory is at Microsoft Security Advisory (2286198): Vulnerability in Windows Shell Could Allow Remote Code Execution). I've tested the exploit and can confirm that it works in Windows XP, Vista and Windows 7. The exploit uses a specially crafted LNK file. This file allows the attacker to execute an arbitrary file by carefully specifying its location – the LNK file in itself does not exploit any vulnerability such as buffer overflows, for example, so it is a legitimate LNK file. The LNK file used in targeted attacks was manually crafted as some fields that are normally present, such as CreationTime, AccessTime or WriteTime are all set to 0. I will not be posting details about how the exploit works, but here are some things that you should be aware of:If autorun is disabled, when a USB device with malicious LNK files is inserted, the exploit will not be triggered automatically.The exploit is triggered every time a folder containing a malicious LNK files is opened (for example, with Windows Explorer). It does not matter where this folder is – it does not have to be on a USB device, but in order to execute to malicious binary, the attacker has to specify its location correctly. What makes this vulnerability extremely serious is the fact that it can be opened from any place, including remote shares, for example. The victim just has to browse to the remote share in order to trigger the vulnerability. So double check permissions on any remote shares you use in your companies (you shouldn't allow users to write in root folders, for example). Some AV vendors started adding detection for these LNK files, although it is still very, very bad. We will, of course, keep an eye on the development of this.Vulnerability in Windows "LNK" files?http://rstcenter.com/forum/24396-cve-2010-2568-lnk-code-execution-proof-concept.rst#post162288 Quote
begood Posted July 18, 2010 Author Report Posted July 18, 2010 Workaround refers to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality: •Disable the displaying of icons for shortcutsNote Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.1.Click Start, click Run, type Regedit in the Open box, and then click OK2.Locate and then click the following registry key:HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler3.Click the File menu and select Export4.In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click SaveNote This will create a backup of this registry key in the My Documents folder by default5.Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.6.Restart explorer.exe or restart the computer.Impact of workaround.Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.•Disable the WebClient service Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.To disable the WebClient Service, follow these steps:1.Click Start, click Run, type Services.msc and then click OK.2.Right-click WebClient service and select Properties.3.Change the Startup type to Disabled. If the service is running, click Stop.4.Click OK and exit the management application.Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.How to undo the workaround.To re-enable the WebClient Service, follow these steps:1.Click Start, click Run, type Services.msc and then click OK.2.Right-click WebClient service and select Properties.3.Change the Startup type to Automatic. If the service is not running, click Start.4.Click OK and exit the management application.http://www.microsoft.com/technet/security/advisory/2286198.mspx Quote
