Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Microsoft Windows Shell Shortcut Parsing Vulnerability

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Vulnerabilities

See the original Secunia advisory:
Microsoft Windows Shell Shortcut Parsing Vulnerability

Secunia Microsoft Windows Shell Shortcut Parsing Vulnerability
Secunia Official 24th Jul, 2010 12:23
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
A vulnerability has been reported in Windows, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in Windows Shell when parsing shortcuts (.lnk or .pif) as certain parameters are not properly validated when attempting to load the icon. This can be exploited to automatically execute a program via a specially crafted shortcut.

Successful exploitation requires that a user is e.g. tricked into inserting a removable media (when AutoPlay is enabled) or browse to the root folder of the removable media (when AutoPlay is disabled) using Windows Explorer or a similar file manager. Exploitation may also be possible via network shares and WebDAV shares or via documents supporting embedded shortcuts.

NOTE: This is currently being actively exploited in the wild via infected USB drives.

ProloSozz RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 24th Jul, 2010 12:23
Score: 2
Posts: 1
User Since: 24th Jul 2010
System Score: N/A
Location: CH
Last edited on 24th Jul, 2010 12:23
How about Windows 2000. Is it not listed as it is not affectet, or is it not listed as it is no longer supported (but could be affected as well)?
Was this reply relevant?
+2
-0
ddmarshall RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Dedicated Contributor 24th Jul, 2010 22:32
Score: 1209
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
It appears to affect all versions of Windows that support .lnk files for shortcuts. I think that will include Windows 2000. Microsoft probably won't issue patches for anything before XP SP3. You might be able to adapt the workarounds in the Security advisory.

http://www.sophos.com/security/topic/shortcut.html
http://www.microsoft.com/technet/security/advisory...
http://support.microsoft.com/kb/2286198

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+5
-0
aniket_zpm RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 25th Jul, 2010 12:12
Score: 5
Posts: 7
User Since: 25th Jul 2010
System Score: N/A
Location: IN
Last edited on 25th Jul, 2010 12:14
Here are some resources to read more about this threat:

http://www.symantec.com/connect/blogs/w32stuxnet-n...
http://www.symantec.com/connect/blogs/distilling-w...
http://www.symantec.com/connect/blogs/hackers-behi...
http://www.symantec.com/connect/blogs/w32stuxnet-i...
http://www.symantec.com/connect/blogs/w32temphid-c...

I feel that the propagation method of this threat could be similar to Conficker.



--
Aniket Amdekar,
Was this reply relevant?
+3
-1
ddmarshall RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Dedicated Contributor 25th Jul, 2010 22:13
Score: 1209
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Here is a list of the vulnerable systems: http://www.securityfocus.com/bid/41732/info . It appears Windows 2000 may not be vulnerable.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-2
aniket_zpm RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 25th Jul, 2010 22:22
Score: 5
Posts: 7
User Since: 25th Jul 2010
System Score: N/A
Location: IN
Hi,

In many discussions over internet, its mentioned that even windows 2000 is prone to this vulnerability.



--
Aniket Amdekar,
Was this reply relevant?
+3
-1
ddmarshall RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Dedicated Contributor 26th Jul, 2010 00:26
Score: 1209
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Yes. It looks like it is. The Microsoft Encyclopaedia entry for the worm associated with the vulnerability says it adapts for the different filenams used in Windows 2000.
https://www.microsoft.com/security/portal/Threat/E...

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+2
-0
Quitch RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 26th Jul, 2010 01:02
Score: 5
Posts: 53
User Since: 17th Apr 2008
System Score: 99%
Location: UK
on 24th Jul, 2010 12:23, ProloSozz wrote:
How about Windows 2000. Is it not listed as it is not affectet, or is it not listed as it is no longer supported (but could be affected as well)?


As Windows 2000 is no longer supported, expect it to no longer be mentioned for vulnerabilities which do affect it.
Was this reply relevant?
+2
-0

aniket_zpm

RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

aniket_zpm

RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
aniket_zpm RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 27th Jul, 2010 20:24
Score: 5
Posts: 7
User Since: 25th Jul 2010
System Score: N/A
Location: IN
Last edited on 27th Jul, 2010 20:24
There are some updates coming up on this vulnerability. ZeuS and Sality infections are also exploiting the Windows Shortcut vulnerability.


The Zeus variant was discovered as an email attachment with a message supposedly from "security@microsoft.com" and the subject "Microsoft Windows Security Advisory"


Please be little cautious while accessing email from “security@microsoft.com”

According to the Microsoft security advisory, this vulnerability presents a number of possibilities for attackers:



USB drive infection: That is, in the same style as the autorun trick without needing autorun.inf. This is the most obvious application of the hole. It is a local attack so it needs to have access to the computer in the form of a USB drive or even a CD/DVD.



Network shares: The hole can be exploited through the network by copying the malicious shortcut file to a shared network location frequently used by users in a Windows network. If the first infected user has administrator rights, there is another application of the hole. If that infected user can access other people’s hard drives (either by having access rights or by guessing other user’s password), it can copy the .LNK file onto the Windows Start menu folder so that the malicious shortcut is displayed and executed when the user clicks the Start button. DOWNAD already used the password-guessing method but this vulnerability helps by dealing with the execution part.



Malicious website: If the bad .LNK file is placed on a website that displays file icons, it can force Internet Explorer to check the right icon to be displayed, thus triggering exploitation. The likely candidates are pages that let users upload and download files such as a webmail client. This would affect the user as soon as the email with the attached shortcut file is opened without the need for the user to actually download the file. It is a real possibility that some Web mail software might encounter if they try to display the shortcut’s icon. We cannot confirm if this is a real scenario yet, however.



Documents: Office productivity suites (including but are not limited to Microsoft Office) allow files to be embedded within documents. If a bad shortcut file is packaged into some kind of document, the software accesses the icon file so that it can be displayed. This allows the possibility of an email attack by means of a regular document file with an embedded shortcut. In addition, some email clients might be affected when displaying attached files.



--
Aniket Amdekar,
Was this reply relevant?
+5
-1
aniket_zpm RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 31st Jul, 2010 20:31
Score: 5
Posts: 7
User Since: 25th Jul 2010
System Score: N/A
Location: IN
Yesterday, Microsoft has announced plans to release an Out of Band Patch Release to address Microsoft Security Advisory 2286198 on Monday, August 2, 2010 at or around 10 AM PDT.

In the past few days, there has been an increase in attempts to exploit this vulnerability by multiple malware families. The signatures of most of the AV Vendors are able to detect these variants.

--
Aniket Amdekar,
Was this reply relevant?
+1
-0
rosbif73 RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 10th Aug, 2010 16:21
Score: 0
Posts: 1
User Since: 29th May 2010
System Score: N/A
Location: N/A
Last edited on 10th Aug, 2010 16:21
Even after installing the KB2286198 patch via Windows Update, PSI still reports XP as vulnerable to this advisory. Any ideas why?
Was this reply relevant?
+0
-0
Anthony Wells RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Expert Contributor 10th Aug, 2010 16:41
Score: 2437
Posts: 3,330
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 10th Aug, 2010 16:43
@rosbif73 ,

As a new poster , you may not be aware that this thread in this "vulnerabilities" sub-forum is open for specific technical discussion of the SA and the disclosed vulnerability .

Your problem relates to the PSI and a specific M$ KB patch problem on your system .

I suggest you create your own thread (see left hand column of this website page) and repost your problem in either the "PSI" or "Open Discussion" sub-forum , if you still need advice .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability