Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Critical Windows Flaw Gets Out of Cycle Patch From Microsoft

It might have started slow, but reports of a major vulnerability in Windows systems that surfaced following July's security bulletin release by Microsoft has been deemed important enough for Microsoft to release out-of-cycle bulletin, a week ahead of the scheduled August Security Bulletin release.

Initial detection of the vulnerability was a result of it being discovered in malware that was targeting Windows-based SCADA systems and as more information came to light over subsequent days, the vulnerability took on worse and worse proportions. Microsoft's current advisory on the issue highlights that it affects all currently supported versions of Windows (XP SP3, 2003, Vista, 2008, 7), as well as the recently unsupported Windows 2000 and XP SP2.

At fault is the way that the Windows Shell handles processing of shortcuts, in particular rendering the icons of shortcuts. This can be triggered via USB drives, remote shares, WebDAV, or even embedded in otherwise safe documents. From Microsoft's current advisory, it is even possible to trigger this through a normal website, provided that the icon file is present for the browser to attempt to render (at least pass off to the system for processing). The at risk file extensions are currently reported as .lnk and .pif, which makes filtering against very difficult to achieve without causing issues for wider system usefulness and stability.

Microsoft's non-patch mitigation recommendation is to disable the displaying of shortcut icons via the Registry, and to disable the WebClient service, though this will impact applications relying upon the WebClient service for functionality.

To trigger the vulnerability, a user has to open or browse to a folder that has a malicious .lnk or .pif file in it, irrespective of the folder's location. If autorun is enabled, any external media, USB devices, for example can trigger the vulnerability just by being attached to a Windows system. Actually needing to interact with the file itself is not required, merely to the folder containing it.

While the .lnk or .pif file can be located anywhere, the executed code has to be positioned in a known location in order to be properly targeted and launched.

Unless the at-fault code is a piece of code that has survived from Windows XP, through the various iterations of Microsoft's secure development initiatives, and made its way into all other versions of Windows without a problem being noticed, it would imply that the underlying vulnerability is a design error. Either way, flawed initial implementation that was then re-used, or design fault, the entire Windows line is at risk of arbitrary code execution through some very simple actions. About the only redeeming factor for the moment is the very targeted usage that the malware has had and that it has not yet been able to target the vulnerability automatically across networks, though it can be triggered through different vectors.

Windows administrators are strongly urged to apply the bulletin as soon as it is released this week. With the late notice of the release, it is likely the first that many will know about it is when it appears ready for installation.

With its applicability across all Windows systems and its seemingly simple method of execution, this vulnerability is sure to be an attack vector for many years to come.

The use of legitimate digital certificates to sign the current malware has some researchers scratching their heads as to just how well connected the malware writers may be.

On the positive side, Microsoft has opened the specification for .lnk files, so perhaps many eyes will make for shallow bugs. The other side of that is the release date for the specification is only a couple of days before the malware was reported as being detected, so there's always the possibility that someone discovered their own vulnerability in the specification and targeted as a result of that. There is always the Security - None section, which is somewhat telling.

1 August 2010

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.