Windows (all versions) Zero Day lnk vulnerability VERY serious

By +Warwagon
in Back Page News

 Share

Recommended Posts

Grand Master

Mr. Gibs

Posted
Posted

Probably not. As far as I can tell, you're describing something so vague and theoretical, without providing any examples or reference sources, that I'm not sure I understand how it translates to the real world.

1. Protected mode can be exploited. It's hard, but not impossible. The easiest way is to manipulate the window that prompts for access. This leads us onto number 2:

2. What hdood is trying to say is the protected mode in IE doesn't have a secure desktop, so anything can modify that window. Hence instead of it being a warning, it can simply be a little picture saying thanks for using IE or w/e

How can this translate to the real world?

Not sure, but one example I can think of would go like this:

1. Trojan makes you download files, PMIE window is redrawn to seem harmless. User clicks ok, files run with elevated privileges.

2. Trojan exploits a hole in IE, PMIE window is redrawn to seem harmless. User clicks ok, trojan now has elevated privileges.

Essentially protected mode has been defeated. At least thats what I understood from what hdood was saying, could be wrong so.

Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

Sophos has released a detection/blocking tool for this problem:

http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html

Awesome thanks for the heads up.

Installed.

Grand Master

Mr. Gibs

Posted
Posted

One question though: Shouldn't all AV vendors have updated their definitions to detect/block this by now?

You would think so.

I mentioned it on the previous page ;):

And pretty much every AV that has access to MAPP has all the technical details they need to make a relatively good signature (I know f-secure, bitdefender, and kaspersky have all updated their signature databases in order to detect this)
Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

Can't an AV detect only detect the malware being installed by the exploit? I don't think they can detected the exploit it's self without installing something like what is in the free sophos' tool.

Neowinian

Walid Damouny

Posted
Posted

You can't infect anything with just a .lnk file though. You actually have to have an external executable to run.

Not exactly. The bug is in the Windows shell. As soon as Windows tries to view a maliciously crafted .LNK file, code in the file's icon data gets executed. This is why the fix that Microsoft released makes the icons on the desktop (the shortcuts not actual files as far as has been mentioned in the news) turn into white blank icons. The thing that the fix is doing is it is stopping the Windows Shell from trying to draw the icons because the bug exists in the drawing mechanism of the Windows Shell. If the Windows Shell was not buggy then yes "You can't infect anything with just a .lnk file."

Steve Gibson is not a credible source of anything. An icon (which is what favicon.ico is) is a very different thing from a shortcut (.lnk). An icon is a pure data file that simply contains raw bitmap/PNG data, and I don't see what that has to do with this vulnerability (which as far as I know is not in an image decoder).

As for Steve Gibson, he is primarily a programmer and works on security related projects and other stuff http://www.grc.com/resume.htm. Calling someone as "not a credible source of anything" is a stretch if you don't know them or what they have done.

Now going back to the Windows Shell. Both favicon.ico and .LNK are primarily Windows files. You would think that displaying icons on webpages is a standard thing but no it is not. It was first enabled by Internet Explorer (I think version 4) and then websites used it and then other browsers added this functionality. In Internet Explorer favicon.ico as has been mentioned in the news is delegated to the Windows Shell and the bug is there as I explained above.

Grand Master

hdood

Posted
Posted

Not exactly. The bug is in the Windows shell. As soon as Windows tries to view a maliciously crafted .LNK file, code in the file's icon data gets executed. This is why the fix that Microsoft released makes the icons on the desktop (the shortcuts not actual files as far as has been mentioned in the news) turn into white blank icons. The thing that the fix is doing is it is stopping the Windows Shell from trying to draw the icons because the bug exists in the drawing mechanism of the Windows Shell. If the Windows Shell was not buggy then yes "You can't infect anything with just a .lnk file."

I don't think that's how it works. From what I gathered (and I haven't looked at it since it first made the news) the lnk file doesn't contain any code. The vulnerability is in control panel code. The icon section of a lnk file points to a resource in an external exe/dll file. When parsing the lnk files, Windows goes and loads the icon from this external file. Normally this is just read as data, but for control panels it will actually execute code in the dll. In this case, it ends up running malicious code. In other words, the bug is not in any of the icon functions in the shell. I am of course open to be shown otherwise, if you can show actual credible information.

As for Steve Gibson, he is primarily a programmer and works on security related projects and other stuff http://www.grc.com/resume.htm. Calling someone as "not a credible source of anything" is a stretch if you don't know them or what they have done.

I am very familiar with Gibson. That's why I wrote it. I wasn't just trying to be mean to a random person.

Now going back to the Windows Shell. Both favicon.ico and .LNK are primarily Windows files. You would think that displaying icons on webpages is a standard thing but no it is not. It was first enabled by Internet Explorer (I think version 4) and then websites used it and then other browsers added this functionality. In Internet Explorer favicon.ico as has been mentioned in the news is delegated to the Windows Shell and the bug is there as I explained above.

Yes, they are both Windows formats, but an .ico file is just raw data, and is a completely unrelated format to .lnk. Since the bug does not appear to be in any of the code that actually processes the icon data itself, it shouldn't affect .ico files.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Password Safe 3.72.0

      By Copernic · Posted

      Password Safe 3.72.0 by Razvan Serea Password Safe is a password database utility. Like many other such products, commercial and otherwise, it stores your passwords in an encrypted file, allowing you to remember only one password (the "safe combination"), instead of all the username/password combinations that you use. Once stored, your user names and passwords are just a few clicks away. Using Password Safe you can organize your passwords using your own customizable references—for example, by user ID, category, web site, or location. You can choose to store all your passwords in a single encrypted master password list (an encrypted password database), or use multiple databases to further organize your passwords (work and home, for example). And with its intuitive interface you will be up and running in minutes. PasswordSafe was originally designed by the renowned security technologist Bruce Schneier and released as a free utility application. Password Safe 3.72.0 changelog: Fixed bugs Improved font scale handling - should resolve font size issues on high resolution displays. GH1749 In the Master Password Setup window, "Show Master Password" is no longer truncated on some displays. GH1092, SF1595 Size and position of main window is now correctly restored on scaled displays. SF1630 Keep password expiry date when both password and password expiry are changed; don't clear a non-recurring expiry when the password's changed. SF1628 Custom values can now be copied to the clipboard in read-only mode via Ctrl-C and right-click->Copy Value. New features GH1196 Dark display mode support: Password Safe now supports the system display mode, as well as setting the mode directly via Manage->Options->Display->Display Mode. This change also updates the general "look & feel" of the app to the current Windows theme. Known limitations: The Date picker and keyboard shortcut controls do not switch to dark theme The Customize Toolbar dialog does not switch to dark theme Custom Field support has been added to the more advanced features: Filters XML and Text import and export Comparison, Sync and Merge databases SF938 Custom field values may now be selected by name and copied via a "Copy Custom Field Value..." submenu in the entry context popup menu. SF936 Notes and Custom fields layout now overlap, selectable by tabs, resulting in a more compact and less cluttered layout. SF935 Autotype: Specifying '\v{name}' in the autotype text will cause the corresponding value to be autotyped. Download: PasswordSafe 64-bit | Portable 64-bit | ~20.0 MB (Open Source) Download: PasswordSafe 32-bit | Portable 32-bit View: PasswordSafe Website | Quickstart Guide | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Google DeepMind AI Control Roadmap: When Alignment Fails, Defense-in-Depth Takes Over

      By +TRS-80 · Posted

      Google DeepMind published a document on June 18, 2026, that may be the most consequential admission yet from a frontier AI lab: alignment training alone cannot guarantee that AI agents will remain under human control, so structural containment must be built before more capable models arrive.............. https://www.techtimes.com/articles/318758/20260620/google-deepmind-ai-control-roadmap-when-alignment-fails-defense-depth-takes-over.htm  
    • Creative Sound Blaster AE-X PCIe review: your headphones will love it

      By Taliseian · Posted

      I've got a SoundBlasterX G6 that I use in my streaming setup. Sounds great to me and I've had zero issues with the ancient software package so far in Win11. That G6 has 7.1, Dolby, fully working SPDIF and since it's a USB device it's outside of my rig so I don't have to worry about EMF distortion. Looks like for now this is a pass for me as I think I have better hardware....
    • Creative Sound Blaster AE-X PCIe review: your headphones will love it

      By OldGuru · Posted

      How do you connect 5.1 Speakers to this thing?
    • A 13 billion year old secret about our Universe's origin was revealed

      By Taliseian · Posted

      I agree with both of you... It's absolutely imperative that science is completely based on actual proven facts and hard evidence and is not considered dogmatic in any way. Science is not a religion and it will never be, and that's exactly how it's supposed to be.

  • Recent Achievements

    • Dedicated
      JuvenileDelinquent earned a badge
      Dedicated
    • First Post
      DrWankel earned a badge
      First Post
    • Reacting Well
      DrWankel earned a badge
      Reacting Well
    • Week One Done
      Supreme Spray LV earned a badge
      Week One Done
    • Week One Done
      Genuinetonerink- Dubai earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      502
    2. 2
      +Edouard
      170
    3. 3
      PsYcHoKiLLa
      88
    4. 4
      Steven P.
      75
    5. 5
      Michael Scrip
      73
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!