Windows LNK Zero day vulnerability

Update:  August 2, 2010.  Microsoft has released an update to fix this vulnerability and recommends applying it immediately via Windows Update.

Microsoft Security Bulletin MS10-046 – Critical – Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

July 2010.  A new and dangerous vulnerability has been discovered in Microsoft’s Windows operating systems.

It is called the Windows Shell LNK Icon shortcut rendering zero day flaw.  It affects all versions of Windows.

This exploit is particularly dangerous because it can run malicious code merely by displaying a tainted shortcut icon (.lnk or .pif).  No user interaction required.  This makes it a worm.  The tainted shortcut file can be on a web site, USB drive, network share, WebDAV or in a document.  It has been seen in the wild as of July 2010.

The malicious code that is run may include backdoors and rootkits.

Microsoft will quickly release a patch for this problem, likely as soon as they make it, out of cycle.  In the mean time, Microsoft and Sophos have released workarounds:

Microsoft workaround Fix It The Microsoft workaround renders some shortcut icons as white boxes.

Sophos provides free tool to protect against Windows .LNK zero-day vulnerability

Install the Microsoft update as soon as it is released!

References:

Common Vulnerabilities and Exposures – CVE-2010-2568

Microsoft Security Advisory (2286198) – Vulnerability in Windows Shell Could Allow Remote Code Execution

Notes:

Sophos reports 3 versions in the wild with payloads:  Stuxnet and Dulkis worms, as well as the Chymin Trojan horse.

Antivirus makers report that their products detect and remove the payloads.

Payloads may include drivers signed with valid certificates – surprising and dangerous.

Windows XP SP2 is no longer supported by Microsoft and may not receive a fix – dangerous because there are a lot of XP SP2 computers out there.

Windows 2000 is not affected?  NT?

Leave a Reply

Your email address will not be published. Required fields are marked *