Jump to content



Photo

Windows (all versions) Zero Day lnk vulnerability VERY serious


  • Please log in to reply
66 replies to this topic

#1 +warwagon

warwagon

    Only you can prevent forest fires.

  • 25,851 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 24 July 2010 - 22:36

I know it was posted on the front page that Microsoft Released a fixit tool to turn off your icons until a fix is released.

Just to recap

Computerworld - Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives.

The bug admission is the first that affects Windows XP Service Pack 2 (SP2) since Microsoft retired the edition from support, researchers said. When Microsoft does fix the flaw, it will not be providing a patch for machines still running XP SP2.

In a security advisory, Microsoft confirmed what other researchers had been saying for almost a month: Hackers have been exploiting a bug in Windows "shortcut" files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.

"In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware," Dave Forstrom, a director in Microsoft's Trustworthy Computing group, said in a post Friday to a company blog. Stuxnet is a clan of malware that includes a Trojan horse that downloads further attack code, including a rootkit that hides evidence of the attack.


http://www.computerw...rive_by_attacks

Most people didn't seem to concerned because they weren't inserting removable media into their machine. As it turns out there has been some speculation that a machine could also be compromised using this vulnerability via the icons you get while browsing to different websites.

Microsoft said ""An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location," the company said in the advisory. "When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked."

On the security now podcast Steve Gibson said

The act of displaying the icon of the link files executes the malicious code in that new machine. It's regarded as not requiring any specific user action. So in this particular case it's being considered a worm. And something like 9,000 instances of this a day is now being seen in the wild. The point is that everyone who recognizes how pervasive this can be is expecting this to be a big problem. And Microsoft in their most recent update acknowledged something that HD Moore was first quoted as saying. He has apparently figured out how to get favicons to do this.

Leo: Ugh. So websites would do it, then.

Steve: Yes. And so Microsoft has acknowledged that not only displaying these .LNK file icons in Windows Explorer, but now in Office documents, any Office documents are also vulnerable, including Outlook, which is to say email. So receiving malicious email containing one of these can compromise your system. And they also acknowledge websites can do it. You can now have a malicious website that will display, that will leverage this through the defect in the shell. And I'm not sure if it's all browsers. Certainly IE because Microsoft has acknowledged that. Depending upon where the display code is, I would imagine this may be cross-browser vulnerable also. We'll know more certainly a week from now.

The problem is that there isn't anything clearly - there's no real good solution for this. Microsoft has posted a Fix it which makes some changes to the registry and also shows what manual changes can be made. The problem is that the fix that is required, until we actually get the problem repaired, is that all of your link, all of your shortcuts stop being displayed, and you get sort of the generic white rectangle.


Just thought I would give everyone the heads up.


#2 Barney T.

Barney T.

    Debian Linux: I'm Loving It!

  • 14,855 posts
  • Joined: 30-August 03
  • Location: Williamsburg, Virginia

Posted 24 July 2010 - 22:43

Thanks for the update WW. (Y)

#3 vetmarkjensen

markjensen

    Linux noob since Red Hat 5.1

  • 24,502 posts
  • Joined: 02-October 03
  • Location: Middle Tennessee
  • OS: GNU/Linux
  • Phone: Android and iPhone

Posted 24 July 2010 - 22:44

I agree, too many people were fixated on the USB plugging thing.

The flaw is serious.
The exploits are being used.
I would expect a fix from Microsoft soon. Quite likely an out-of-band patch before Patch Tuesday.

#4 AR556

AR556

    Neowinian Senior

  • 5,604 posts
  • Joined: 07-August 03

Posted 24 July 2010 - 22:44

There is no way to just disable icon loading for IE?

#5 vetAndrew Lyle

Andrew Lyle

    Don't Panic!

  • 31,910 posts
  • Joined: 15-December 03
  • Location: Toronto, Ontario
  • OS: Windows 7 SP1

Posted 24 July 2010 - 22:53

lol @ bolded text

thanks for the heads up :)

#6 nub

nub

    Neowinian Senior

  • 2,893 posts
  • Joined: 19-November 06
  • Location: Amerika

Posted 24 July 2010 - 23:02

"IE8 still requires confirmation before going from Internet zone to [a] WebDAV share," he said, referring to an Internet Explorer security setting. "It is an easy drive-by on IE6, but there is still user interaction with newer versions of IE."

The attack doesn't work when users browse with Mozilla's Firefox or Google's Chrome, Moore said.


Although I could see this being exploited by inserting it into legit programs. I know a while back wordpress's website was hacked and malicious code was added. Except in this case, it would replace the shortcut icon of a popular program.

#7 vetCalum

Calum

    Neowinian Senior

  • 13,211 posts
  • Joined: 10-January 07

Posted 24 July 2010 - 23:10

So, I skimmed it all - read it, but fast, as I am very busy; I have two questions:

Can this worm affect my system by me just simply browsing websites? (I'm concerned here, as I browse a lot of porn).
Will it be obvious if I am infected by this? (I think read something which stated that all my icons would turn into a generic paper icon or something).

Thanks, guys :)

#8 nub

nub

    Neowinian Senior

  • 2,893 posts
  • Joined: 19-November 06
  • Location: Amerika

Posted 24 July 2010 - 23:15

Can this worm affect my system by me just simply browsing websites? (I'm concerned here, as I browse a lot of porn).


No. You have to connect to a WebDAV share using IE. IE 8 requires confirmation before doing this, but IE 6 doesn't. So as long as you're using IE 8 or a none IE browser you should be safe.

#9 vetmarkjensen

markjensen

    Linux noob since Red Hat 5.1

  • 24,502 posts
  • Joined: 02-October 03
  • Location: Middle Tennessee
  • OS: GNU/Linux
  • Phone: Android and iPhone

Posted 24 July 2010 - 23:26

(I'm concerned here, as I browse a lot of porn).

:rofl:
Well, honesty is the best policy!

#10 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • 25,851 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 24 July 2010 - 23:28

What if we use firefox I wonder.

#11 Northgrove

Northgrove

    Philosophizing Developer

  • 9,865 posts
  • Joined: 29-December 02
  • Location: Sweden
  • OS: OS X 10.8
  • Phone: iPhone 5

Posted 24 July 2010 - 23:33

As long as an Explorer window tries to read the shortcut file's icon data, it's subject to the exploit. Yeah, WebDAV shares are coincidentally affected (since Windows uses Explorer to connect to WebDAV shares) which makes this a potential remote exploit, but other stuff too, like network shares etc, besides the obvious stuff like being subject to the vulnerability merely by extracting a zip file and viewing its contents (with among others, a malicious shortcut) in Explorer. Note: Looking at the icon is enough, you don't need to open stuff.

Lots of possibilities here, which make it so serious. It's hard to predict all attack vectors... Browsing files in a third party app is also subject to the exploit, I suppose, since they usually use the standard "Open file" dialog box, and I think that one also parses icon info.

#12 Northgrove

Northgrove

    Philosophizing Developer

  • 9,865 posts
  • Joined: 29-December 02
  • Location: Sweden
  • OS: OS X 10.8
  • Phone: iPhone 5

Posted 24 July 2010 - 23:38

What if we use firefox I wonder.

Firefox doesn't support WebDAV, and I don't think its FTP support parses icons but uses hard coded icons depending on file extensions.

#13 vetCalum

Calum

    Neowinian Senior

  • 13,211 posts
  • Joined: 10-January 07

Posted 25 July 2010 - 00:00

No. You have to connect to a WebDAV share using IE. IE 8 requires confirmation before doing this, but IE 6 doesn't. So as long as you're using IE 8 or a none IE browser you should be safe.

Excellent; thank you for the information :happy:




:rofl:
Well, honesty is the best policy!

(Y) :D

#14 Lechio

Lechio

    Neowinian Senior

  • 3,856 posts
  • Joined: 07-April 04

Posted 25 July 2010 - 00:02

So, I skimmed it all - read it, but fast, as I am very busy; I have two questions:

Can this worm affect my system by me just simply browsing websites? (I'm concerned here, as I browse a lot of porn).
Will it be obvious if I am infected by this? (I think read something which stated that all my icons would turn into a generic paper icon or something).

Thanks, guys :)

No, you might only know after your personal data is stolen (credit card information, bank credentials, passwords, ...).

#15 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • 25,851 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 25 July 2010 - 00:19

ok WebDAV shares is one thing

but the way I understood it, the vulnerability could also affect favicons like this.

The act of displaying the icon of the link files executes the malicious code in that new machine. It's regarded as not requiring any specific user action. So in this particular case it's being considered a worm. And something like 9,000 instances of this a day is now being seen in the wild. The point is that everyone who recognizes how pervasive this can be is expecting this to be a big problem. And Microsoft in their most recent update acknowledged something that HD Moore was first quoted as saying. He has apparently figured out how to get favicons to do this.


See why this is really scary now?

Attached Images

  • Capture.JPG
  • favicon.JPG




Click here to login or here to register to remove this ad, it's free!