Lincoln Computer Club Forum

[divingbrit]

Microsoft on Friday released a security advisory warning users of a zero-day vulnerability found within the Windows Shell.


The exploit takes place when the user inserts a USB flash drive, then navigates to the root of the USB drive. Microsoft explained that, “Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut”. After this the attacker could then gain access to the Windows machine.

All versions of Windows are affected by this flaw, from Windows XP SP3 right to Windows 7 and server editions 2008/2003. Windows 2000 and XP SP2 are both also affected by the vulnerability however they’re both out of Microsoft’s support window, meaning they ultimately won’t be patched.

Microsoft have not yet set a date for the flaw to be patched, however Patch Tuesday is scheduled for August 10th next month.

source: geeksmack.net

[barrowboy]

Sophos releases a free shortcut exploit fix
After Microsoft gives up
By Lawrence Latif
Tue Jul 27 2010, 16:24

INSECURITY VENDOR Sophos has released an in-line checking tool to mitigate exposure against a shortcut vulnerability that affects Microsoft's Windows operating systems.

The vulnerability, first disclosed last week, allows hackers to remotely execute code on machines running Windows XP, Windows Vista and Windows 7 by exploiting the way the operating system deals with shortcuts. The Vole's almost comical answer to the problem was to issue a "fix it" that removes all shortcuts from the system.

Sophos' solution ( http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protec tion-tool.html) is slightly different in that it validates the shortcut when it has been clicked, rather than just hiding it. If the shortcut is indeed the exploit, a message will be displayed and interaction with that shortcut disabled.

Apparently the tool currently works on LNK shortcuts, though the firm has commented that it might include support for PIF shortcuts in the future. According to Sophos, shortcuts are classified as dodgy if "It is a Control Panel shortcut and it points to an existing file that can be opened for execution, and neither the shortcut nor the shortcut's target are on the computer's local disk."

The free patch is available for download and is designed to work with existing antivirus software.

The partial solution does little to address the underlying problem, which Microsoft has all but given up on.

It seems that the only real solution is to install Linux!!

[barrowboy]

Microsoft will fix a flaw today
Can't wait for Patch Tuesday
By Nick Farrell
Mon Aug 02 2010, 10:30

SOFTWARE FLOGGER Microsoft will release a security update today to address a critical vulnerability in the Windows Shell.

Last week the Vole announced in Security Advisory 2286198 that it was looking into reports of targeted attacks exploiting a vulnerability in Windows Shell.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed, Microsoft said,

Microsoft said that the vulnerability can be exploited locally through a malicious USB drive or remotely via network shares and WebDAV.

The patch will be released today at around 10am PDT.

A spokesvole said the company has completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers.

Part of the reason the Vole is rushing the patch out is that in the past few days it has seen an increase in attempts to exploit the vulnerability.

"We firmly believe that releasing the update out of band is the best thing to do to help protect our customers," Microsoft said. µ

[divingbrit]

Microsoft to patch Windows shortcut vulnerability
An emergency Windows software update will close a loophole in Microsoft’s operating system that makes it easy for hackers to take control of a computer using shortcuts

Microsoft has confirmed that it will release an emergency, “out of band” patch to close a loophole that made it easy for hackers and cyber criminals to gain remote access to PCs.

The software update will patch a vulnerability in the way Windows XP, Windows Vista and Windows 7 handle shortcuts, also known as. lnk files. Microsoft said it had seen a significant “increase in attempts” by hackers over the last few days to take advantage of the loophole, which enables them to take control of a computer by tricking users in to clicking on infected shortcut links.


“We’re able to confirm that, in the past few days, we’ve seen an increase in attempts to exploit the vulnerability,” said Christopher Budd, a senior security response manager at Microsoft. “We firmly believe that releasing the update out-of-band is the best thing to do to help protect our customers.”

Microsoft is expected to release the patch later today, and Windows users are advised to run a system update to install the patch and ensure their computer is protected against the vulnerability.

Microsoft first warned Windows users about the vulnerability on July 16. Security experts have advised Windows users to employ a “workaround solution” to tide them over until the patch has released. Microsoft released details of the temporary fix on its website, which showed users how to prevent. lnk folder icons from being displayed on their computer desktop.


Telegraph