Microsoft Friday warned its customers that attackers are targeting an unpatched and critical Windows vulnerability.
Microsoft Friday warned its customers that attackers are targeting an unpatched and critical Windows vulnerability.Microsoft Security Advisory (2286198) addresses a previously known vulnerability that makes it possible to exploit removable drives. Microsoft claims it has so far seen only limited, targeted attacks:
The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.
Anti-virus vendor Sophos warns that this vulnerability makes it possible for attackers to exploit all versions of Windows, including Windows 7:
The flaw is in how shell32.dll tries to load control panel icons from applets. By making a specially crafted shortcut pointing to a malicious file, you can make Windows Explorer blindly execute the malicious file when the location of the shortcut is merely browsed to. In this case the malicious file is a rootkit and a dropper that immediately hide the special shortcut (.lnk) files. Allowing executable code to load in the process of trying to retrieve an icon seems like a major oversight in the design of Windows.
Below is an interesting video produced by Sophos that demonstrates the attack underway.
Currently, Microsoft's advice is to disable icons for shortcuts. While a savvy home user may be able to pull that off - it's unlikely to be practical in a business environment. Most users will think their PC is "broken" and wonder why files won't launch. They also suggest disabling the WebDav WebClient. That's another less-than-ideal solution if your enterprise uses SharePoint.
That means, unfortunately, your best bet may be to make certain that your anti-malware software protects against the current batch of exploits. And wait for the inevitable patch, which hopefully comes on or before August's Patch Tuesday.
Published: 2015-05-25 Cross-site request forgery (CSRF) vulnerability in the login page in IBM License Metric Tool 9 before 18.104.22.168 and Endpoint Manager for Software Use Analysis 9 before 22.214.171.124 allows remote attackers to hijack the authentication of arbitrary users via vectors involving a FRAME element.
Published: 2015-05-25 IBM License Metric Tool 9 before 126.96.36.199 and Endpoint Manager for Software Use Analysis 9 before 188.8.131.52 do not send an X-Frame-Options HTTP header in response to requests for the login page, which allows remote attackers to conduct clickjacking attacks via vectors involving a FRAME element.
Published: 2015-05-25 Cross-site scripting (XSS) vulnerability in IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before 184.108.40.206 iFix10, 6.0.5 before 220.127.116.11, and 18.104.22.168a before 22.214.171.124 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
Published: 2015-05-25 Common Inventory Technology (CIT) before 126.96.36.1990 in IBM License Metric Tool 7.2.2, 7.5, and 9; Endpoint Manger for Software Use Analysis 9; and Tivoli Asset Discovery for Distributed 7.2.2 and 7.5 allows remote attackers to cause a denial of service (CPU consumption or application crash) via a cr...
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.