Risk
7/18/2010
03:02 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Warns Of Critical Vulnerability

Microsoft Friday warned its customers that attackers are targeting an unpatched and critical Windows vulnerability.

Microsoft Friday warned its customers that attackers are targeting an unpatched and critical Windows vulnerability.Microsoft Security Advisory (2286198) addresses a previously known vulnerability that makes it possible to exploit removable drives. Microsoft claims it has so far seen only limited, targeted attacks:

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

Anti-virus vendor Sophos warns that this vulnerability makes it possible for attackers to exploit all versions of Windows, including Windows 7:

The flaw is in how shell32.dll tries to load control panel icons from applets. By making a specially crafted shortcut pointing to a malicious file, you can make Windows Explorer blindly execute the malicious file when the location of the shortcut is merely browsed to. In this case the malicious file is a rootkit and a dropper that immediately hide the special shortcut (.lnk) files. Allowing executable code to load in the process of trying to retrieve an icon seems like a major oversight in the design of Windows.

Below is an interesting video produced by Sophos that demonstrates the attack underway.

Currently, Microsoft's advice is to disable icons for shortcuts. While a savvy home user may be able to pull that off - it's unlikely to be practical in a business environment. Most users will think their PC is "broken" and wonder why files won't launch. They also suggest disabling the WebDav WebClient. That's another less-than-ideal solution if your enterprise uses SharePoint.

That means, unfortunately, your best bet may be to make certain that your anti-malware software protects against the current batch of exploits. And wait for the inevitable patch, which hopefully comes on or before August's Patch Tuesday.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0560
Published: 2014-09-17
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors.

CVE-2014-0561
Published: 2014-09-17
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0567.

CVE-2014-0562
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)."

CVE-2014-0563
Published: 2014-09-17
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to cause a denial of service (memory corruption) via unspecified vectors.

CVE-2014-0565
Published: 2014-09-17
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0566.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant