Serious MS vulnerability (turning autorun off does NOT suffice)

FIX: Microsoft Security Advisory: Vulnerability in Windows Shell could allow remote code execution


Vulnerability in Windows "LNK" files?

Microsoft Security Advisory (2286198): Vulnerability in Windows Shell Could Allow Remote Code Execution

You dont even need to click or have autorun enabled to get screwed; just browse to the parent directly, and boom....

 

Fun times. Thanks for the warning on this one; hadn't noticed it before.

 

Updated with fix.

 

This fix for the .lnk zero day vulnerability is a nasty one though.

It results in a messy desktop with blank icons as shown in this pic from a Sophos blog;

.

More information on this USB trojan vulnerability (which has been used to compromise Siemens SCADA- Supervisory Control and Data Acquisition environments) can be found here and here.

 

Attack wave coming. I don't think enough people are even aware of this serious problem. Time to consider Linux for your friends and family?

.lnk vulnerability in Windows: Attack wave approaches - The H Security: News and Features

 

Post here to support a NBR wide annoucement:
http://forum.notebookreview.com/sit...ross-forums-microsoft-lnk-security-hole.html?

 

Thread was already closed, eh? I can kind of understand their point, but I do agree that this new attack is particularly worrisome. I've held off on checking around my department (I work IT support; primarily virus removal) to see if people are aware of this bug; but it seems to be growing now. That proposed fix is not going to go over well with most people. Heck, I really don't like the idea. Comes down to the lesser of two evils, I suppose.

 

Darn, they closed the thread

Yeah, I hope its a temp fix till MS patches up the hole in windows shell through an update.

 

How many on this forum have applied the Microsoft provided fix? Only respond if you have.

 

I did on my desktop; can't yet stand to do so on my laptop (which is my main machine atm). As Baserk said above, it's a pretty nasty fix. Anyone know if ESET or any of the other major companies are able to remove it? I know it's been at least added to Symantec's database; but there was no mention of removal, just detection.

 

This is a vulnerability, not a virus. In other words, the problem is not that a virus or worm is on the loose. The problem is that Windows is vulnerable to being exploited by any and all hackers by simply opening a PDF, a Word document, or an email with a specially crafted icon embedded on it.

And those are only some of the ways Windows is exploitable right now. The thing is that those that have not applied the Fix have their computers open to infections and are in fact open to contribute spreading infections. Everyone using Windows should apply the Fix or stop using Windows. What better time to give Linux a try?

 

Sorry, I mis-spoke/typed. What I meant was, does anyone have a list of known infections that are utilizing this exploit?

 

i tried the automatic fix but my icons are still visible.
i checked the regedit value and it has indeed been left blank.
so i guess that sometimes the icons are left as is.

 

The advisory says:

We have installed this on all the computers at our organization. I would say that from what i have seen, most Icons were left unchanged. At least on the desktop. On the All Programs menu they are pretty much all blank.

 

your right just checked my all programs and it is indeed blank

 

I've applied this fix. Actually I applied the fix before MS released their automatic script, I went and manually edited the registry.
I dont depend on icons much, heck I dont use windows much; so its had minimal impact on me; but yeah I can see that it would be a major pain for the majority.

 

Don't you think that besides using the icon-vulnerability, the Word document also will have to contain malware in order to actually infect a users system.
Just having a specially crafted icon would be pretty useless.
That would only mean opening up the attack vector without any malware payload to push through...

And where have you read about the .lnk vulnerability in relation to PDF's if i may ask?

The malware used can be scanned and found by security software, like the original Stuxnet rootkit.
So, the advice to everyone to either implement the fix or stop using Windows is, with all due respect, bollocks.

Would you recommend everyone to stop using Linux because an exploit has been found (just one somewhat recent example)?

 

Sure, but what with an open door like that, how could any malware protection software ever keep up? That is why the solution and responsibility for this problem lies on Micrsoft's shoulders, not on the malware protection software vendors.

Sorry, my mistake. Glancing at the Microsoft advisory I read about embedded shortcuts and about how PIF files are also included and I think my mind played a trick on me. You are right in that PDFs are not mentioned on the advisory. But, seeing that PDFs have javascript on them and are able to have objects embedded on them, I wouldn't be surprised if they were also usable as attack tools.

Well, I disagree, but you are welcome to your opinion.

Yeah, that was a bu-bu on the Debian front. But it only affected Debian derivatives, which I don't use (PCLinuxOS users here). Besides, the fix was ready and deployed almost immediately. This vulnerability affects basically all Windows versions. And, how long has this Windows vulnerability been available for hackers? How long will it still be before a patch arrives?

 

That definitely sums up the main concern here. I'm already having issues as it is with the computers that come to me for virus cleaning; half the people are bringing them because of completely unrelated issues (in their minds) to malware. Then I find keyloggers, or worse, lurking around their systems. If they're not noticing that they have documented malware on their systems, how on earth are they ever going to suspect that they're being exploited by a vulnerability such as this one? It may sound extremist/alarmist to claim that people should ditch windows in favor of linux, but I can easily see the value in such a view.

As a sidenote, it's interesting to hear that icons weren't greatly affected on the desktop. The computer I tested the fix on is basically used as a media center, so nothing on the desktop or taskbar. I assumed from the lack of icons in All Programs that it was global.

Update: I went ahead and installed the fix on my main laptop and played around with it a bit. Here's what I've found for Windows 7:
- All icons in "All-Programs" are indeed blank
- All running applications that are not pinned to the taskbar have a blank icon.
- All icons on the desktop itself are mostly left alone, though it appears that this only applies to old shortcuts; any new ones that you create after the fix will have a blank icon.
- All old icons on the taskbar will be left alone. If you drag a new program to the taskbar, it will have a blank icon. Oddly enough, if you instead open a program and then pin it (via right-clicking on the running app) it will go from having a blank icon to the program icon (i.e. normal icon).

EDIT: Those last two points are wrong. Eventually all desktop icons will disappear. They may be there right after the fix, but that is only a temporary thing.

 

Ecar88, how are Keyloggers detected?

 

Most people would be better off running Linux. As simple as that. I have helped many of my friends make the switch. Every time someone comes to me for help with a virus infested Windows machine, I always encourage them to give Linux a try for a while. After that, if they are not happy with it and they want me to put Windows back in, I will do so gladly! With that assurance, they usually are willing to give it a try. So far, none of the ones I have helped have asked for Windows to be put back.

Just about two months ago I set up PCLinuxOS for a family I know. I created an account for each one in the family and told the parents to keep the root password to themselves. The reason for that is the parental controls which, by the way, they loved. Because of Hulu, they had gotten rid of cable and hooked up their computer to their beautiful new LCD TV. It was nice to see how impressed they were with the Hulu Desktop application. Their printer and scanner worked with no problem whatsoever. I created a directory where the whole family can share data under \home\shared, made everyone a member of the "family" group and set the permissions on that folder so that everyone on that group can read and write to it. I then copied all their share pictures, movies, and music to that area. I showed them how to point Amarok to that folder and when their music started playing they couldn't believe that the program was fetching the lyrics for them. They were thrilled. And they don't have to worry about viruses any more. I now have people on a waiting list waiting for me to come around and do the same for them!

I do this on my own time and charge nothing for it. I view it as a sort of volunteer community enhancement effort. The chances of them calling me again with a malware problem is basically zero. Sure, you and I can use Windows safely for years without getting it infected, but kids will be kids. And these folks are not computer savvy at all. So, they will be much more secure running Linux.

Their system will not only be supported with security updates for the life of the system, but it will automatically receive new features, both on the OS and its applications. That means that they won't have to pay for the next version of this and the next version of that. and they won't be running into artificial barriers and limitations planted there to lure them into paying more.

Now, when their friends come to visit and see their beautiful computer desktop and their awesome applications they can in good conscience and with joy offer them a copy to take home with them. That is the way humans are supposed to act you know.

 

An anti-executable with a white-list goes a long way in protecting the comp.
And a (simple) software restriction policy (in a GPO) would have protected against the specific USB-Stuxnet attack.
Of course it's Redmond's job to fix it. But this particular vulnerability doesn't mean every single MS user must tremble in fear.

To a certain extend I agree.
For a lot of folks, some of the current distro's will fulfill all their needs.
Excluding the users of lots of proprietary Win software and the entire PC gaming community, those persons/families as in your example don't actually need a Windows OS.

But they do need a person like yourself.

That's where you go wrong. j/k.
Now those friends will ask your friends for your phonenumber as to setup the same beautiful desktop and awesome apps at their place...

 

Not all of them can be, but if one is present on the system scanning software such as Malwarebytes will usually pick it up. Generally speaking, normal AV software has a tough time picking up on keyloggers. I've never had a keylogger on my system, so I'm not sure if the MSSE (my AV of choice at the moment) will grab it with its real-time protection or no. I have seen ESET NOD32 pick up keyloggers, though. It's technically more accurate to say that scanners will pick up on cues that denote a known keylogger (emphasis on known; unknown ones are obviously much harder to pin down).

Note: Forgive my word choice throughout, I'm definitely still learning about how exactly these sorts of things operate; I can clean them, but my knowledge beyond that is fledgling at best.

 

Well, apparently SophosLabs has released a tool that functions as a partial fix: SophosLabs.

The updated info mentions that this tool is ineffective at preventing PIF based exploits and "does not protect against LNK files or targets stored on the local disk."

At least it's something.

 

^+1.

GDATA has also come up with a temporary fix until Microsoft comes up with a permanent one.
Information and download location can be found on this page; link

 

Hmm, according to that article the GDATA one is actually far better. I take it that it doesn't have the limitation on local files that the Sophos one does? Or am I misreading that article?

 

Isn't that like 100% of most users' LNK files and targets ?

(edit: I was thinking mostly of residential systems. People working on a network may have
a lot of stuff that doesn't reside on a local disk)

Thanks to those of you keeping us others up to date on this matter. An interesting situation.

 

i think ill try the gdata solution as i find it hard using my computer without the desktop icons

 

No, you are right.
The G-DATA .lnk protection is much more suitable.
I can recommend it to all XP/Vista/7-32&64 bit users.

There has been one issue reported with the G-DATA LNK checker.
When you make a shortcut of Control Panel or open Control Panel and make a shortcut from any of the programs on your desktop, that shortcut icon will automatically be the G-DATA warning icon. (source link)
Example;


But besides that issue, it's working better than Sophos' solution and Microsofts' and it's sufficient protection until Redmond chimes in with a more workable approach than just blanking out most icons.

 

I concur. I got rid of Microsoft's fix and tried the GData one; it's far less intrusive, and no loss of icons. Seems to be the way to go for now. I agree that that slight issue with the Control panel links is a small price to pay; especially when compared to Microsoft's.

 

Thanks for this link - Rep.

 

Anti malware program HitManPro3 now also offers protection against the .lnk vulnerability.
Version 3.5.6 build 108 offers an easy and automated way to fix this nasty hole in almost every Windows OS.

Anyone already running the program can either choose to activate this protection (after updating) on the main screen immediately or at the settings page.

HitmanPro is a pretty unique antimalware program as it uses G-DATA, Ikarus & Emsisoft, PrevX and Dr. Web, combined in one program; a 'cloud-based, multi-vendor, on-demand behavioural scanner' as they call it.

More information on the .lnk fix can be found on this HitmanPro web page.

 

interesting program +1
i use to use virustotal but ill try this out.
what specifically is the fix hitman does for the .lnk problem

 

Microsoft is releasing a patch on Monday

 

should i uninstall the g-data fix before this update?

 

Patch should be available tomorrow. XP SP2 and Windows 2000 to remain unpatched.

Microsoft to release out-of-band patch for Windows shortcut vulnerability - SC Magazine UK

From the article:

Although there have been multiple families that have picked up this vector, one in particular caught our attention this week– a family named Sality.

“Sality is a highly virulent strain. It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security and then download other malware. It is also a very large family—one of the most prevalent families this year. After the inclusion of the .LNK vector, the numbers of machines seeing attack attempts combining malicious .LNKs and Sality.AT soon surpassed the numbers we saw with Stuxnet. We know that it is only a matter of time before more families pick up the technique.”

 

Here's Microsoft's notification

Why Microsoft buries this several layers down on their site is beyond me.
Like they were ashamed of it or something...

----------------------

EDIT: My Windows Update just downloaded KB2286198 so I guess that's that.