Windows (all versions) Zero Day lnk vulnerability VERY serious

[Lechio]

I have never heard someone getting affected with a malware which managed to bypass Protected Mode, let alone get affected myself. Can you give an example of a known Protected Mode exploit?

Read the article. What gets affected with this exploit is the Windows Shell, not Internet Explorer. The Windows Shell is a key component of the OS. The fact that Internet Explorer runs on Protected Mode can't do anything about it. This is the example.

[pezzonovante]

Read the article. What gets affected with this exploit is the Windows Shell, not Internet Explorer. The Windows Shell is a key component of the OS. The fact that Internet Explorer runs on Protected Mode can't do anything about it. This is the example.

So, it's not a IE8 vulnerability. If users run IE8 on Windows 7 with the default settings, they are highly unlikely to get affected. They have to visit some risky websites affected by this exploit and ignore the warning message given by Windows 7, and they have to do this before Microsoft rolls out the patch. Sorry, I can't see anyone achieving this feat unless they are absolutely determined to get a malware on their machine.

He also spotted different results that varied by the version of Windows running the PC, echoing comments from other researchers that drive-by attacks using IE6, IE7, IE8 and IE9 were successful on Windows XP, but not on the newer Windows 7. "It looks like Windows 7 has some additional magic which creates a pop-up [warning], and I suspect Vista is the same," said Moore.

[kill3rt0m4t0]

Read the article. What gets affected with this exploit is the Windows Shell, not Internet Explorer. The Windows Shell is a key component of the OS. The fact that Internet Explorer runs on Protected Mode can't do anything about it. This is the example.

As much as it makes me wince to actually read this level of ignorance, let alone respond to it, I'll give it a shot anyway.

The exploit may work, but its effects will be contained within Protected Mode's "sandbox", which runs at a low integrity level. So, yes, Protected Mode can do something about it. A lot, actually.

What you're describing is a privilege escalation exploit, which is completely inaccurate in this case, as it's been made clear that payloads launched via the exploit can only gain the local user's access privileges. Protected Mode relies on UAC and Windows' interface privilege isolation mechanisms to work, so if the exploit defeats Protected Mode, it'd have similarly defeated UAC as well. This is not the case.

Please, do yourself a favor, and stick to talking about Linux in future. All you accomplish whenever you run your mouth off about Windows is make it clear you have absolutely no idea what you're talking about.

[seta-san]

get the clue. dump sp2.

[Lechio]

get the clue. dump sp2.

All versions of Windows are affected, Windows 7 included, not only Windows XP SP2.

Sorry about the big letters, but this doesn't seem to be clear yet.

[Lechio]

What you're describing is a privilege escalation exploit, which is completely inaccurate in this case, as it's been made clear that payloads launched via the exploit can only gain the local user's access privileges.

User's access privileges. That's reassuring, meaning it only has access to the user's data. :rolleyes:

Please, do yourself a favor, and stick to talking about Linux in future. All you accomplish whenever you run your mouth off about Windows is make it clear you have absolutely no idea what you're talking about.

No I will not. And I don't think you are entitled to tell me what I can or cannot do. I also don't considered you are entitled to call me an ignorant.

For one you have no idea who I am and what are my qualifications.

[kill3rt0m4t0]

User's access privileges. That's reassuring, meaning it only has access to the user's data. :rolleyes:

I'm sorry, but it looks like you insist on continuing to display your ignorance, and even doing so with a smug attitude as though it's something to be proud of. Any exploit payloads launched via IE under Protected Mode cannot destroy or modify user data, and any attempt to steal that data is easily prevented using any properly-configured two-way firewall - such as Windows Firewall.

[+Warwagon MVC]

The way I understood it is there is the webdev exploit. In that case yes, only IE6 is really in trouble because it doesn't confirm when connecting to a webdev. Now a guy figured out how to use favicon's. If this is true, it has nothing to do with Webdev.

[Lechio]

I'm sorry, but it looks like you insist on continuing to display your ignorance, and even doing so with a smug attitude as though it's something to be proud of. Any exploit payloads launched via IE under Protected Mode cannot destroy or modify user data, and any attempt to steal that data is easily prevented using any properly-configured two-way firewall - such as Windows Firewall.

Again with the name calling. Can't your arguments stand by their validity instead of using those type of adjectives?

Are you a 13-year old?

Fact: thousands of systems are now compromised by this exploit. No firewall, no Protected Mode have been able to stop the infection.

Microsoft itself names this as a very serious vulnerability.

You on the other hand keep up with that make believe based on no facts.

This is the last time I'll be replying to your comment if you keep up with the name calling.

[hdood]

Where does it say that? IE6 doesn't ask you permission to connect to a WebDav share, that's why it's more serious when using that version of IE ( when the infection vector is WebDav shares ). The favicons are displayed in every browser.

You apparently didn't read that part.

You can't infect anything with just a .lnk file though. You actually have to have an external executable to run. That means that in order to run your code, you must have a way of getting the executable onto the system. Examples of that includes memory sticks, network shares, webdav, because a shortcut can point directly to a file on them.

As for favicons, I'd like to again ask for evidence of this. Steve Gibson is not a credible source of anything. An icon (which is what favicon.ico is) is a very different thing from a shortcut (.lnk). An icon is a pure data file that simply contains raw bitmap/PNG data, and I don't see what that has to do with this vulnerability (which as far as I know is not in an image decoder). I lean towards Gibson (who is not an expert on much) having misunderstood. It's also worth noting that the chances of all the browsers using the same code parse icons is slim to none. They will be using their own internal image decoder. That means that even if something were to affect IE, you could just use a different browser.

[The_Decryptor Veteran]

What does IE do if you set the favicon of the page, to a shortcut stored in a webdav folder? That's the only way I could think of it happening.

[ViperAFK]

So it only affects XP and ie6? :rolleyes:

[kill3rt0m4t0]

Again with the name calling. Can't your arguments stand by their validity instead of using those type of adjectives?

Are you a 13-year old?

My arguments are valid - but that doesn't change the fact that you try to put on an air of superiority as you churn out your nauseating brand of FUD, but then turn out to be so atrociously wrong that it makes people want to cringe, on simple subject matters that you could've quickly educated yourself about by spending five minutes on Google and/or Wikipedia, and then cry, whine, and bring up your imaginary qualifications when people point out the obvious.

I gave you some friendly advice to stick to talking about Linux in future, so that you don't keep embarrassing yourself. But hey, to each his own.

Fact: thousands of systems are now compromised by this exploit. No firewall, no Protected Mode have been able to stop the infection.

Microsoft itself names this as a very serious vulnerability.

And you say I play make believe? Really?? Honestly, the irony is just gushing out in bucketloads here.

Let's assume that your claim that "thousands of systems are now compromised", is true, even though the article makes no mention of it, and you don't provide a reference for this "fact". There's still so many thing wrong in that quoted paragraph above that I'm spoiled for choice where to begin. First of all, we're talking about an exploit, not an infection. Secondly, no one has claimed that firewalls and Protected Mode stop the exploit; there's a difference between an exploit and exploit payload(s). Thirdly, that firewalls and Protected Mode do nothing is completely wrong. Protected Mode prevents the malware delivered via the exploit from doing anything but steal user data, and a properly-configured firewall prevents that.

Please note the emphasis on "properly-configured". Your claim made as much sense as saying that because your car doesn't work right if you don't know how to drive it, it means cars are useless.

The only fact here is that your claim that "all Windows users should stay away from the Web, or apply the MS suggested solution that eliminates the icons" is completely and utterly wrong. And while you may have initially had the excuse of ignorance, you know better by now, and by sticking to your original claim you're turning it from an (possibly) honest mistake into a deliberate lie, which you're now trying to defend with even more and more lies.

This is the last time I'll be replying to your comment

It's what you do best anyway. Lie low for a while when proven wrong, hope the attention goes away, and strike back with the same old FUD over and over.

[hdood]

I have never heard someone getting affected with a malware which managed to bypass Protected Mode, let alone get affected myself. Can you give an example of a known Protected Mode exploit?

Microsoft has demonstrated bypassing PMIE at several talks. It does however require user interaction, by getting them to click a button, but that isn't necessarily very hard. It's worth noting that PMIE still has full read access to your system. It also has write access to certain namespaces and access to most Windows APIs (which can both be to manipulate other programs). The fact is that Windows was never designed to have security within a session, and that's why elevation, integrity levels, UIPI, and UAC are not security boundaries. These are all hacks that were jury rigged onto an architecture that simply wasn't designed for it, and Microsoft makes no guarantees about them even working.

While windowing does have some limited security by blocking a small amount of of messages through UIPI (mostly those that could be used for code injection), it's not much. When it comes to graphics, there is no security and anything can freely draw whatever it wants anywhere. That includes drawing penises on top of warning messages in IE. What use is a warning message if you can just change it to say something else?

That said, I'm not really aware of any such malware in the wild, and I suspect the number is low. Mostly because it's more work than needed. People will just run freeporn.exe if you ask them anyway.

What you're describing is a privilege escalation exploit, which is completely inaccurate in this case, as it's been made clear that payloads launched via the exploit can only gain the local user's access privileges. Protected Mode relies on UAC and Windows' interface privilege isolation mechanisms to work, so if the exploit defeats Protected Mode, it'd have similarly defeated UAC as well. This is not the case.

Well, it's debatable if you could really consider the hypothetical scenario privilege escalation, and a bug that affected integrity levels or elevation would not be a security bug.

Fact: thousands of systems are now compromised by this exploit. No firewall, no Protected Mode have been able to stop the infection.

There is still zero evidence that it can spread through a browser though, so PM is irrelevant. The current exploit that has infected thousands of systems certainly has nothing to do with IE.

[Mr. Gibs]

That includes drawing penises on top of warning messages in IE. What use is a warning message if you can just change it to say something else?

I thought the point of secure desktop (ie the black background when UAC pops-up) was to prevent any program from manipulating that window and to ensure that only the keyboard / mouse can actually click it (ie no automated scripts would work)

Fact: thousands of systems are now compromised by this exploit. No firewall, no Protected Mode have been able to stop the infection.

According to the authors claim of 9000 exploits a day (I haven't been able to find any such proof on the internet, but thats besides the matter), is still pretty dam low. I mean in a month 270,000 computers will be infected and thats like what? Less than 0.5% of the total computers in the world?

Not to mention a firewall will be able to stop the attack since you can block it from sending out data. And pretty much every AV that has access to MAPP has all the technical details they need to make a relatively good signature (I know f-secure, bitdefender, and kaspersky have all updated their signature databases in order to detect this)

[hdood]

I thought the point of secure desktop (ie the black background when UAC pops-up) was to prevent any program from manipulating that window?

The warning messages shown by the IE broker process (the part of PMIE that runs with full rights) aren't shown on the secure desktop. They're just normal windows.

The UAC prompt you're thinking of is only shown when you elevate something from standard user to administrator (medium to high integrity.) There's no such thing for low to medium.

[+Warwagon MVC]

I lean towards Gibson (who is not an expert on much) having misunderstood. It's also worth noting that the chances of all the browsers using the same code parse icons is slim to none. They will be using their own internal image decoder. That means that even if something were to affect IE, you could just use a different browser.

Honestly I'd rather be overly worried than not worried enough.

[kill3rt0m4t0]

The warning messages shown by the IE broker process (the part of PMIE that runs with full rights) aren't shown on the secure desktop. They're just normal windows.

AFAIK those windows can only be called by already-installed plugins?

If I'm correct, then your argument becomes moot anyway.

[hdood]

AFAIK those windows can only be called by already-installed plugins?

If I'm correct, then your argument becomes moot anyway.

Any code running in the low integrity process.

[kill3rt0m4t0]

Any code running in the low integrity process.

Just so I'm absolutely clear which window you're talking about - link to an image of said window? Thanks in advance.

[hdood]

Just so I'm absolutely clear which window you're talking about - link to an image of said window? Thanks in advance.

Any window shown by IE.

[kill3rt0m4t0]

Any window shown by IE.

Given how I can't find any further information on this, I'm rather skeptical.

Besides, how would you accomplish it? IE uses a native interface instead of, say, Firefox's XUL, meaning it's impossible to manipulate the browser chrome using Javascript or CSS. Buffer overflow attacks are a possibility, but DEP and ASLR more or less shut off that avenue. So what's left?

[hdood]

Honestly I'd rather be overly worried than not worried enough.

I'm not going to worry about some random claim with no evidence.

Given how I can't find any further information on this, I'm rather skeptical.

Besides, how would you accomplish it? IE uses a native interface instead of, say, Firefox's XUL, meaning it's impossible to manipulate the browser chrome using Javascript or CSS. Buffer overflow attacks are a possibility, but DEP and ASLR more or less shut off that avenue. So what's left?

I don't mean to sound rude, but you aren't paying attention. The claim was that anything that exploits a bug in IE is not much of an issue because it's contained by protected mode. I explained how it's not exactly a supermax prison and what the weaknesses are. No one except you said anything about Javascript or CSS. The context was malware running in protected mode, not how it got there.

Like I said, you can manipulate anything on the screen, because graphics in Windows has no concept of security. Windows was never designed with such an architecture. It wasn't designed to have finer granularity than sessions.

[kill3rt0m4t0]

I don't mean to sound rude, but you aren't paying attention. The claim was that anything that exploits a bug in IE is not much of an issue because it's contained by protected mode. I explained how it's not exactly a supermax prison and what the weaknesses are. No one except you said anything about Javascript or CSS. The context was malware running in protected mode, not how it got there.

Like I said, you can manipulate anything on the screen, because graphics in Windows has no concept of security. Windows was never designed with such an architecture. It wasn't designed to have finer granularity than sessions.

Probably not. As far as I can tell, you're describing something so vague and theoretical, without providing any examples or reference sources, that I'm not sure I understand how it translates to the real world.

[hdood]

Probably not. As far as I can tell, you're describing something so vague and theoretical, without providing any examples or reference sources, that I'm not sure I understand how it translates to the real world.

It's not vague at all. I don't know what you're having a hard time understanding.