anyweb Posted July 22, 2010 Report post Posted July 22, 2010 Microsoft releases Fix-IT for Windows Shortcut zero day attacks http://www.zdnet.com/blog/security/ms-ships-temporary-fix-it-for-windows-shortcut-zero-day-attacks/6916 Microsoft has released a “fix-it” tool as a stop-gap to block ongoing zero-day attacks against a new code execution flaw in Windows Shell. The attacks, which incorporate signed drivers from RealTek and JMicron, are spreading locally via malicious USB drives or remotely via network shares and WebDAV. Microsoft has posted a pre-patch advisory that spells out the problem: Best practices and technical defenses should be used to avoid new attacks related to malicious spoofed Windows shortcuts. Currently these zero-day attacks are not circulating extensively, and have only surfaced in limited targeted attacks. However, this is likely to change as note in articles at bottom, as malicious developers are exploring new conduits for seeding this in-the-wild. The danger of these attacks are that spoofed short-cuts can easily trick anyone into selecting them. Also, automated settings in autorun could lead to completely automatic attacks, when the exploit is circulated using removable devices or unsecure network shares. Microsoft Security Advisory (2286198) Vulnerability in Windows Shell Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/2286198.mspx The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts. DOWNLOAD FIX IT PATCH FROM HERE: Microsoft Security Advisory: Vulnerability in Windows Shell could allow remote code execution http://support.microsoft.com/kb/2286198 Applying the Fix it will require a restart of the machine. The installation of the Fix it will prompt the user before restarting the system. Enterprise deployments allows for unattended install with the following Display options: Collapse this tableExpand this table TIP: Always download both the Fixit and Undo Fixit patches, carefully labeling them in separate folders. After a true patch emerges, both temporary Fixit tools will be removed from the kb in favor of the new security bulletin. While the full security release will usually take care of undoing the FixIt, it's good to have the Undo Fixit available just in case it's needed (as corporate inventory systems may not handle temporary fixes accurately). SPECIAL WARNING: The Internet Storm Center warns Windows 2000 users to be especially careful as there will most likely be no forthcoming patch. ADDITIONAL PROTECTION TO FIX-IT PATCH: Disabling AUTORUN, keeping AV updated, and best practices are in order for all operating systems HOW TO DISABLE AUTORUN FOR USB http://support.microsoft.com/kb/967715 INTERNET STORM CENTER - Windows shortcut dangers http://isc.sans.edu/diary.html?storyid=9217 http://isc.sans.edu/diary.html?storyid=9181 http://isc.sans.edu/diary.html?storyid=9190 AVERT LABS - EXCELLENT FAQ http://www.avertlabs.com/research/blog/index.php/2010/07/19/microsoft-0day-malformed-shortcut-vulnerability/ QUOTE: How widely is the issue being exploited? . The issue is known to be exploited by malware in the wild. Initial attacks were limited. However, an exploit module in metasploit was published today that uses WebDAV shares as an exploit vector. We expect wider exploitation of this issue. Users should keep their anti-virus software updated with the latest DATs (signatures). via > http://myitforum.com/cs2/blogs/hwaldron/archive/2010/07/22/microsoft-releases-fixit-for-windows-shortcut-zero-day-attacks.aspx Share this post Link to post Share on other sites More sharing options...
