Forum Thread: Microsoft Windows Shell Shortcut Parsing Vulnerability

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Vulnerabilities

See the original Secunia advisory:
Microsoft Windows Shell Shortcut Parsing Vulnerability

Secunia Microsoft Windows Shell Shortcut Parsing Vulnerability
Secunia Official 24th Jul, 2010 12:23
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
A vulnerability has been reported in Windows, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in Windows Shell when parsing shortcuts (.lnk or .pif) as certain parameters are not properly validated when attempting to load the icon. This can be exploited to automatically execute a program via a specially crafted shortcut.

Successful exploitation requires that a user is e.g. tricked into inserting a removable media (when AutoPlay is enabled) or browse to the root folder of the removable media (when AutoPlay is disabled) using Windows Explorer or a similar file manager. Exploitation may also be possible via network shares and WebDAV shares or via documents supporting embedded shortcuts.

NOTE: This is currently being actively exploited in the wild via infected USB drives.

ProloSozz RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 24th Jul, 2010 12:23
Score: 2
Posts: 1
User Since: 24th Jul 2010
System Score: N/A
Location: CH
Last edited on 24th Jul, 2010 12:23
How about Windows 2000. Is it not listed as it is not affectet, or is it not listed as it is no longer supported (but could be affected as well)?
Was this reply relevant?
+2
-0
ddmarshall RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Dedicated Contributor 24th Jul, 2010 22:32
Score: 1250
Posts: 992
User Since: 8th Nov 2008
System Score: 98%
Location: UK
It appears to affect all versions of Windows that support .lnk files for shortcuts. I think that will include Windows 2000. Microsoft probably won't issue patches for anything before XP SP3. You might be able to adapt the workarounds in the Security advisory.

http://www.sophos.com/security/topic/shortcut.html
http://www.microsoft.com/technet/security/advisory...
http://support.microsoft.com/kb/2286198

--
Was this reply relevant?
+5
-0
aniket_zpm RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 25th Jul, 2010 12:12
Score: 5
Posts: 7
User Since: 25th Jul 2010
System Score: N/A
Location: IN
Last edited on 25th Jul, 2010 12:14
Here are some resources to read more about this threat:

http://www.symantec.com/connect/blogs/w32stuxnet-n...
http://www.symantec.com/connect/blogs/distilling-w...
http://www.symantec.com/connect/blogs/hackers-behi...
http://www.symantec.com/connect/blogs/w32stuxnet-i...
http://www.symantec.com/connect/blogs/w32temphid-c...

I feel that the propagation method of this threat could be similar to Conficker.



--
Aniket Amdekar,
Was this reply relevant?
+3
-1
ddmarshall RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Dedicated Contributor 25th Jul, 2010 22:13
Score: 1250
Posts: 992
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Here is a list of the vulnerable systems: http://www.securityfocus.com/bid/41732/info . It appears Windows 2000 may not be vulnerable.

--
Was this reply relevant?
+1
-2
aniket_zpm RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 25th Jul, 2010 22:22
Score: 5
Posts: 7
User Since: 25th Jul 2010
System Score: N/A
Location: IN
Hi,

In many discussions over internet, its mentioned that even windows 2000 is prone to this vulnerability.



--
Aniket Amdekar,
Was this reply relevant?
+3
-1
ddmarshall RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Dedicated Contributor 26th Jul, 2010 00:26
Score: 1250
Posts: 992
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Yes. It looks like it is. The Microsoft Encyclopaedia entry for the worm associated with the vulnerability says it adapts for the different filenams used in Windows 2000.
https://www.microsoft.com/security/portal/Threat/E...

--
Was this reply relevant?
+2
-0
Quitch RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 26th Jul, 2010 01:02
Score: 5
Posts: 53
User Since: 17th Apr 2008
System Score: 99%
Location: UK
on 24th Jul, 2010 12:23, ProloSozz wrote:
How about Windows 2000. Is it not listed as it is not affectet, or is it not listed as it is no longer supported (but could be affected as well)?


As Windows 2000 is no longer supported, expect it to no longer be mentioned for vulnerabilities which do affect it.
Was this reply relevant?
+2
-0

aniket_zpm

RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

aniket_zpm

RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
aniket_zpm RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 27th Jul, 2010 20:24
Score: 5
Posts: 7
User Since: 25th Jul 2010
System Score: N/A
Location: IN
Last edited on 27th Jul, 2010 20:24


--
Aniket Amdekar,
Was this reply relevant?
+5
-1
aniket_zpm RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 31st Jul, 2010 20:31
Score: 5
Posts: 7
User Since: 25th Jul 2010
System Score: N/A
Location: IN
Yesterday, Microsoft has announced plans to release an Out of Band Patch Release to address Microsoft Security Advisory 2286198 on Monday, August 2, 2010 at or around 10 AM PDT.

In the past few days, there has been an increase in attempts to exploit this vulnerability by multiple malware families. The signatures of most of the AV Vendors are able to detect these variants.

--
Aniket Amdekar,
Was this reply relevant?
+1
-0
rosbif73 RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Member 10th Aug, 2010 16:21
Score: 0
Posts: 1
User Since: 29th May 2010
System Score: N/A
Location: N/A
Last edited on 10th Aug, 2010 16:21
Even after installing the KB2286198 patch via Windows Update, PSI still reports XP as vulnerable to this advisory. Any ideas why?
Was this reply relevant?
+0
-0
Anthony Wells RE: Microsoft Windows Shell Shortcut Parsing Vulnerability
Expert Contributor 10th Aug, 2010 16:41
Score: 2493
Posts: 3,384
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 10th Aug, 2010 16:43
@rosbif73 ,

As a new poster , you may not be aware that this thread in this "vulnerabilities" sub-forum is open for specific technical discussion of the SA and the disclosed vulnerability .

Your problem relates to the PSI and a specific M$ KB patch problem on your system .

I suggest you create your own thread (see left hand column of this website page) and repost your problem in either the "PSI" or "Open Discussion" sub-forum , if you still need advice .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0