July 2010 - Posts

Microsoft LNK vulnerability fix coming on Monday

Share |

Published: 2010-07-30,
Last Updated: 2010-07-30 17:45:38 UTC
by Johannes Ullrich (Version: 1)

0 comment(s)

Microsoft is planning to release an out of band patch addressing the "Shortcut" vulnerability. The patch is scheduled for release on Monday, August 2nd, at 10am PDT.

As confirmed by Microsoft, a number of malware families started incorporating the vulnerability in their exploit repertoire. For more details, see the Microsoft Technet blog post [1]

[1] http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx

SophosLabs Released Free Tool to Validate Microsoft Shortcut

Share |

Published: 2010-07-26,
Last Updated: 2010-07-26 17:03:58 UTC
by Guy Bruneau (Version: 1)

0 comment(s)

SophosLabs has just released a free tool that provides detection against the Windows shortcut exploit that we published last week here and here. Sophos has indicated it works with any antivirus software and it works with Windows XP/Vista/7 but not 2000. When Windows tries to display an icon with a shortcut, the tool will intercept the request in order to validate it and give back control to the user if not found to be malicious.

SophosLabs has made a video available on what is the exploit and how the tool works here and the tool is available for downloaded here.

Update on .LNK vulnerability

Share |

Published: 2010-07-21,
Last Updated: 2010-07-21 13:58:43 UTC
by Adrien de Beaupre (Version: 1)

0 comment(s)

Microsoft have updated their security advisory 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198 to describe further attack vectors for this vulnerability. The vulnerability can be exploited using .LNK files on removable drives, via WebDav and network shares, using .PIF files as well as .LNK, and documents that can have embedded shortcuts within them. The original discussion on this vulnerability is here isc.sans.edu/diary.html?storyid=9181
The ISC has previously raised the infocon isc.sans.edu/diary.html?storyid=9190 with regards to this issue, and will continue to monitor for any changes. Please let us know via our contact us page or by commenting below if you have any new information on the issue, have been affected by this vulnerability being exploited, or have a copy of malware taking advantage of it.

Adrien de Beaupré

Keywords: LNK Microsoft Security Advisory Update PIF WebDav

Preempting a Major Issue Due to the LNK Vulnerability - Raising Infocon to Yellow

Share |

Published: 2010-07-19,
Last Updated: 2010-07-19 18:01:06 UTC
by Lenny Zeltser (Version: 1)

2 comment(s)

We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerability and to help preempt a major issue resulting from its exploitation. Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far.

Although the original attack used the LNK vulnerability to infect systems from a USB key, the exploit can also launch malicious programs over SMB file shares. In one scenario, attackers that have access to some systems in the enterprise can use the vulnerability to infect other internal systems.

We discussed the LNK vulnerability in a diary a few days ago. That note pointed to Microsoft's advisory that described the bug "Windows Shell Could Allow Remote Code Execution," which affects most versions of Windows operating systems. Microsoft's workarounds for the issue include:

  • Disable the displaying of icons for shortcuts. This involves deleting a value from the registry, and is not the easiest thing to do in some enterprise settings. Group Policy-friendly options include the use of  Registry Client-Side Extensions, the regini.exe utility and the creation of a custom .adm file: see Distributing Registry Changes for details.
  • Disable the WebClient service. This will break WebDAV and any services that depend on it.

Another approach to mitigate the possible LNK attack involves the use of Didier Stevens' tool Ariad. Note that the tool is beta-software operating in the OS kernel, so it's probably not a good match for enterprise-wide roll-out.

Additional recommendations for making the environment resilient to an attack that exploits the LNK vulnerability include:

  • Disable auto-run of USB key contents. This would address one of the exploit vectors. For instructions, see Microsoft KB967715
  • Lock down SMB shares in the enterprise, limiting who has the ability to write to the shares.

Sadly, enterprises that are likely to ever disable auto-run and lock down SMB file shares, probably have done this already back when the Conficker worm began spreading. Another challenge is that Windows 2000 and Windows XP Service Pack 2 are vulnerable, yet Microsoft no longer provides security patches for these OS. As the result, we believe most environments will be exposed until Microsoft releases a patch. We're raising the Infocon level in the hope that increased vigilance will increase enterprises' ability to detect and respond the attacks that may use the LNK vulnerability.

Do you have recommendations for addressing the LNK issue? Let us know.

-- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

Published: 2010-07-13,
Last Updated: 2010-07-13 17:30:42 UTC
by Jim Clausing (Version: 1)
0 comment(s)

Overview of the July 2010 Microsoft Patches and their status.

Important: with today's patches, support for XP SP2 officially comes to an end.  There will be no more patches for XP SP2 after today.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS10-042 Vulnerability in Help and Support Center Could Allow Remote Code Execution
Windows XP SP2 and above, Windows Server 2003 SP2
KB 2229593 actively being exploited Severity:Critical
Exploitability: 1
PATCH NOW! Critical
MS10-043 Vulnerability in Canonical Display Driver Could Allow Remote Code Execution
Windows7 x64, Windows Server 2008 R2 x64
KB 2032276 no known exploits. Severity:Critical
Exploitability: 2
Critical Critical
MS10-044 Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution
Access 2003 SP3, Access 2007 SP1 and above
KB 982335 no known exploits. Severity:Critical
Exploitability: 1,1
Critical Critical
MS10-045 Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (Replaces MS09-060 )
KB 978212 no known exploits. Severity:Important
Exploitability: 1
Critical Critical


We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them


Info from Microsoft:

Windows 2000


Windows XP SP2