Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42869
  • Total Topics: 16078
  • Online Today: 3449
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Microsoft warns of new 0-day exploit, involving the Windows Shell (.lnk)  (Read 4445 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Windows shortcut vulnerability with rootkit - detailed video demo

Microsoft issued a security bulletin on Friday to warn customers of a 0-day exploit involving the Windows Shell: http://www.microsoft.com/technet/security/advisory/2286198.mspx

The vulnerability is caused due to an error in Windows Shell when parsing shortcuts (.lnk). The flaw can be exploited automatically by executing a program via a specially crafted shortcut. Certain parameters of the .lnk are not properly validated on load, resulting in the vulnerability. Microsoft says it has "seen only limited, targeted attacks on this vulnerability."

For the exploit to be successful it requires that users insert removable media (when AutoPlay is enabled) or browse to the removable media (when AutoPlay is disabled). According to Microsoft's advisory, exploitation may also be possible via network shares and WebDAV shares: http://www.microsoft.com/technet/security/advisory/2286198.mspx
Microsoft states that the exploit affects all Windows versions since Windows XP, including Windows 7. However, Security Researcher Chester Wisniewski of Sophos, reports that Windows 2000 and Windows XP SP2 (both unsupported by Microsoft) are affected by the flaw: http://www.sophos.com/blogs/chetw/g/2010/07/16/windows-day-attack-works-windows-systems/

Sophos explain that the flaw bypasses all Windows 7 security mechanisms, including UAC, and doesn't require administrative privilege to run. In a blog posting, Sophos researchers demonstrate the flaw (see above) on Windows 7, which becomes infected with a rootkit as a result.

Microsoft says users could halt attacks by disabling icons for shortcuts and switching off the WebClient service. Unfortunately the suggestion is far from ideal for most corporate customers, disabling icon shortcuts will likely result in mass confusion for users and turning off the WebClient service will render Microsoft SharePoint useless. Microsoft has not confirmed when a patch will be made available for the issue. The company's next patch Tuesday is scheduled on August 10.

(NW)

Samker's Computer Forum - SCforum.info


mercenary

  • SCF Member
  • **
  • Posts: 27
  • KARMA: 4

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising