Windows (all versions) Zero Day lnk vulnerability VERY serious

[+Warwagon MVC]

I know it was posted on the front page that Microsoft Released a fixit tool to turn off your icons until a fix is released.

Just to recap

Computerworld - Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives.

The bug admission is the first that affects Windows XP Service Pack 2 (SP2) since Microsoft retired the edition from support, researchers said. When Microsoft does fix the flaw, it will not be providing a patch for machines still running XP SP2.

In a security advisory, Microsoft confirmed what other researchers had been saying for almost a month: Hackers have been exploiting a bug in Windows "shortcut" files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.

"In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware," Dave Forstrom, a director in Microsoft's Trustworthy Computing group, said in a post Friday to a company blog. Stuxnet is a clan of malware that includes a Trojan horse that downloads further attack code, including a rootkit that hides evidence of the attack.

http://www.computerworld.com/s/article/9179512/Microsoft_warns_of_Windows_shortcut_drive_by_attacks

Most people didn't seem to concerned because they weren't inserting removable media into their machine. As it turns out there has been some speculation that a machine could also be compromised using this vulnerability via the icons you get while browsing to different websites.

Microsoft said ""An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location," the company said in the advisory. "When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked."

On the security now podcast Steve Gibson said

The act of displaying the icon of the link files executes the malicious code in that new machine. It's regarded as not requiring any specific user action. So in this particular case it's being considered a worm. And something like 9,000 instances of this a day is now being seen in the wild. The point is that everyone who recognizes how pervasive this can be is expecting this to be a big problem. And Microsoft in their most recent update acknowledged something that HD Moore was first quoted as saying. He has apparently figured out how to get favicons to do this.

Leo: Ugh. So websites would do it, then.

Steve: Yes. And so Microsoft has acknowledged that not only displaying these .LNK file icons in Windows Explorer, but now in Office documents, any Office documents are also vulnerable, including Outlook, which is to say email. So receiving malicious email containing one of these can compromise your system. And they also acknowledge websites can do it. You can now have a malicious website that will display, that will leverage this through the defect in the shell. And I'm not sure if it's all browsers. Certainly IE because Microsoft has acknowledged that. Depending upon where the display code is, I would imagine this may be cross-browser vulnerable also. We'll know more certainly a week from now.

The problem is that there isn't anything clearly - there's no real good solution for this. Microsoft has posted a Fix it which makes some changes to the registry and also shows what manual changes can be made. The problem is that the fix that is required, until we actually get the problem repaired, is that all of your link, all of your shortcuts stop being displayed, and you get sort of the generic white rectangle.

Just thought I would give everyone the heads up.

[Barney T. Administrators]

Thanks for the update WW. (Y)

[markwolfe Veteran]

I agree, too many people were fixated on the USB plugging thing.

The flaw is serious.

The exploits are being used.

I would expect a fix from Microsoft soon. Quite likely an out-of-band patch before Patch Tuesday.

[JustGeorge]

There is no way to just disable icon loading for IE?

[Andrew Lyle Global Moderator]

lol @ bolded text

thanks for the heads up :)

[nub]

"IE8 still requires confirmation before going from Internet zone to [a] WebDAV share," he said, referring to an Internet Explorer security setting. "It is an easy drive-by on IE6, but there is still user interaction with newer versions of IE."

The attack doesn't work when users browse with Mozilla's Firefox or Google's Chrome, Moore said.

Although I could see this being exploited by inserting it into legit programs. I know a while back wordpress's website was hacked and malicious code was added. Except in this case, it would replace the shortcut icon of a popular program.

[Calum Veteran]

So, I skimmed it all - read it, but fast, as I am very busy; I have two questions:

Can this worm affect my system by me just simply browsing websites? (I'm concerned here, as I browse a lot of porn).

Will it be obvious if I am infected by this? (I think read something which stated that all my icons would turn into a generic paper icon or something).

Thanks, guys :)

[nub]

Can this worm affect my system by me just simply browsing websites? (I'm concerned here, as I browse a lot of porn).

No. You have to connect to a WebDAV share using IE. IE 8 requires confirmation before doing this, but IE 6 doesn't. So as long as you're using IE 8 or a none IE browser you should be safe.

[markwolfe Veteran]

(I'm concerned here, as I browse a lot of porn).

:rofl:

Well, honesty is the best policy!

[+Warwagon MVC]

What if we use firefox I wonder.

[Malisk]

As long as an Explorer window tries to read the shortcut file's icon data, it's subject to the exploit. Yeah, WebDAV shares are coincidentally affected (since Windows uses Explorer to connect to WebDAV shares) which makes this a potential remote exploit, but other stuff too, like network shares etc, besides the obvious stuff like being subject to the vulnerability merely by extracting a zip file and viewing its contents (with among others, a malicious shortcut) in Explorer. Note: Looking at the icon is enough, you don't need to open stuff.

Lots of possibilities here, which make it so serious. It's hard to predict all attack vectors... Browsing files in a third party app is also subject to the exploit, I suppose, since they usually use the standard "Open file" dialog box, and I think that one also parses icon info.

[Malisk]

What if we use firefox I wonder.

Firefox doesn't support WebDAV, and I don't think its FTP support parses icons but uses hard coded icons depending on file extensions.

[Calum Veteran]

No. You have to connect to a WebDAV share using IE. IE 8 requires confirmation before doing this, but IE 6 doesn't. So as long as you're using IE 8 or a none IE browser you should be safe.

Excellent; thank you for the information :happy:

:rofl:

Well, honesty is the best policy!

(Y) :D

[Lechio]

So, I skimmed it all - read it, but fast, as I am very busy; I have two questions:

Can this worm affect my system by me just simply browsing websites? (I'm concerned here, as I browse a lot of porn).

Will it be obvious if I am infected by this? (I think read something which stated that all my icons would turn into a generic paper icon or something).

Thanks, guys :)

No, you might only know after your personal data is stolen (credit card information, bank credentials, passwords, ...).

[+Warwagon MVC]

ok WebDAV shares is one thing

but the way I understood it, the vulnerability could also affect favicons like this.

The act of displaying the icon of the link files executes the malicious code in that new machine. It's regarded as not requiring any specific user action. So in this particular case it's being considered a worm. And something like 9,000 instances of this a day is now being seen in the wild. The point is that everyone who recognizes how pervasive this can be is expecting this to be a big problem. And Microsoft in their most recent update acknowledged something that HD Moore was first quoted as saying. He has apparently figured out how to get favicons to do this.

See why this is really scary now?

[hdood]

See why this is really scary now?

Since it came from Gibson, it should be taken with a grain of salt. Icons and shortcuts are very different things.

[Lechio]

He has apparently figured out how to get favicons to do this.

If that is true, then this is incredibly catastrophic. All Windows users should stay away from the Web, or apply the MS suggested solution that eliminates the icons (does it get rid of the favicons too?).

[Argi]

If that is true, then this is incredibly catastrophic. All Windows users should stay away from the Web, or apply the MS suggested solution that eliminates the icons (does it get rid of the favicons too?).

People don't read. It's only a major issue if you're still using IE6 (which if you are you aren't really worried about security anyway) - later versions of IE aren't that severe and other browsers aren't affected.

[Lechio]

People don't read. It's only a major issue if you're still using IE6 - later versions of IE aren't that severe and other browsers aren't affected.

Where does it say that? IE6 doesn't ask you permission to connect to a WebDav share, that's why it's more serious when using that version of IE ( when the infection vector is WebDav shares ). The favicons are displayed in every browser.

You apparently didn't read that part.

[The_Decryptor Veteran]

Firefox doesn't support WebDAV, and I don't think its FTP support parses icons but uses hard coded icons depending on file extensions.

Firefox "supports" WebDAV, in the sense that WebDAV is a set of extensions to HTTP, so the core protocol is the same.

And yeah, Firefox doesn't show "embedded" icons when using FTP and such, but more importantly it doesn't use the Windows icon decoder, so a flaw in that wouldn't effect Firefox.

[Lechio]

And yeah, Firefox doesn't show "embedded" icons when using FTP and such, but more importantly it doesn't use the Windows icon decoder, so a flaw in that wouldn't effect Firefox.

Never the term "Internet Explorer" made so much sense. :laugh:

Edited July 26, 2010 by Rob2687

[kill3rt0m4t0]

Never the term "Internet Explorer" made so much sense. :laugh:

It never has, except maybe to some obtuse individuals. I think it's safe to say you've never heard of Protected Mode.

Edited July 26, 2010 by Rob2687

[pezzonovante]

It never has, except maybe to some obtuse individuals. I think it's safe to say you've never heard of Protected Mode.

Absolutely. <snip> They have no idea that IE8 running in Protected Mode on Windows 7 is the most secure browser in the world.

Edited July 25, 2010 by Rob2687
No OS trolling

[Lechio]

Absolutely.<snip> They have no idea that IE8 running in Protected Mode on Windows 7 is the most secure browser in the world.

Protected Mode is useless when it gets bypassed. This affects other Windows components, not Internet Explorer itself.

"most superior PC operating system on the planet", "most secure browser in the world", so many tiles... :)

Edited July 25, 2010 by Rob2687

[pezzonovante]

Protected Mode is useless when it gets bypassed. This affects other Windows components, not Internet Explorer itself.

I have never heard someone getting affected with a malware which managed to bypass Protected Mode, let alone get affected myself. Can you give an example of a known Protected Mode exploit?