LISTSERV mailing list manager LISTSERV 16.0

Help for IT-SECURITY-ALERT Archives


IT-SECURITY-ALERT Archives

IT-SECURITY-ALERT Archives


IT-SECURITY-ALERT@LISTSERV.UNL.EDU


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

IT-SECURITY-ALERT Home

IT-SECURITY-ALERT Home

IT-SECURITY-ALERT  July 2010

IT-SECURITY-ALERT July 2010

Subject:

Vulnerability in Windows Shell Could Allow Remote Code Execution

From:

Rick Haugerud <[log in to unmask]>

Reply-To:

Rick Haugerud <[log in to unmask]>

Date:

Tue, 20 Jul 2010 08:24:54 -0500

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (369 lines)

Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
Published: July 16, 2010 | Updated: July 19, 2010

Version: 1.1

General Information
Executive Summary
Microsoft is investigating reports of limited, targeted attacks exploiting a 
vulnerability in Windows Shell, a component of Microsoft Windows. This 
advisory contains information about which versions of Windows are vulnerable 
as well as workarounds and mitigations for this issue. 

The vulnerability exists because Windows incorrectly parses shortcuts in such 
a way that malicious code may be executed when the icon of a specially 
crafted shortcut is displayed. This vulnerability is most likely to be exploited 
through removable drives. For systems that have AutoPlay disabled, 
customers would need to manually browse to the affected folder of the 
removable disk in order for the vulnerability to be exploited. For Windows 7 
systems, AutoPlay functionality for removable disks is automatically disabled. 
Microsoft is currently working to develop a security update for Windows to 
address this vulnerability.

We are actively working with partners in our Microsoft Active Protections 
Program (MAPP) to provide information that they can use to provide broader 
protections to customers.

Top of section
Advisory Details
Issue References
For more information about this issue, see the following references:

References Identification 
CVE Reference
 CVE-2010-2568
 

Top of section
Affected and Non-Affected Software
This advisory discusses the following software.

Affected Software 
Windows XP Service Pack 3
 
Windows XP Professional x64 Edition Service Pack 2
 
Windows Server 2003 Service Pack 2
 
Windows Server 2003 x64 Edition Service Pack 2
 
Windows Server 2003 with SP2 for Itanium-based Systems
 
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
 
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition 
Service Pack 2
 
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit 
Systems Service Pack 2
 
Windows Server 2008 for x64-based Systems and Windows Server 2008 for 
x64-based Systems Service Pack 2
 
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 
for Itanium-based Systems Service Pack 2
 
Windows 7 for 32-bit Systems
 
Windows 7 for x64-based Systems
 
Windows Server 2008 R2 for x64-based Systems
 
Windows Server 2008 R2 for Itanium-based Systems
 

Top of section
 Frequently Asked Questions 

What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting Windows Shell, a 
component of Microsoft Windows. This vulnerability affects the operating 
systems that are listed in the Affected Software section.

Is this a security vulnerability that requires Microsoft to issue a security 
update? 
Microsoft is currently working to develop a security update for Windows to 
address this vulnerability. 

What is the Windows Shell? 
The Windows user interface (UI) provides users with access to a wide variety 
of objects necessary for running applications and managing the operating 
system. The most numerous and familiar of these objects are the folders and 
files that reside on computer disk drives. There are also a number of virtual 
objects that allow the user to perform tasks such as sending files to remote 
printers or accessing the Recycle Bin. The Shell organizes these objects into a 
hierarchical namespace and provides users and applications with a consistent 
and efficient way to access and manage objects.

What is a shortcut? 
A shortcut is a link to a file or program, represented by an icon. If you double-
click a shortcut, the file or program opens. The shortcut is a mechanism often 
used to keep frequently used files in a single, easily accessed location, such 
as a folder or the desktop. Shortcuts are implemented as files with the LNK 
extension.

What causes this threat? 
When attempting to load the icon of a shortcut, the Windows Shell does not 
correctly validate specific parameters of the shortcut.

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary 
code as the logged-on user. If a user is logged on with administrative user 
rights, an attacker could take complete control of the affected system. An 
attacker could then install programs; view, change, or delete data; or create 
new accounts with full user rights. Users whose accounts are configured to 
have fewer user rights on the system could be less impacted than users who 
operate with administrative user rights.

How could an attacker exploit the vulnerability? 
An attacker could present a removable drive to the user with a malicious 
shortcut file, and an associated malicious binary. When the user opens this 
drive in Windows Explorer, or any other application that parses the icon of the 
shortcut, the malicious binary will execute code of the attacker’s choice on 
the victim system.

An attacker could also set up a remote network share, and place the malicious 
components on this share. When the user browses the share, Windows will 
attempt to load the icon of the shortcut file, and the malicious binary may be 
invoked.

Could this vulnerability be exploited remotely? 
This vulnerability is most likely to be exploited through removable drives. 
However, affected shortcuts can also be distributed over network shares or 
remote WebDAV shares.

How are the Windows 7 Service Pack 1 Beta and Windows Server 2008 R2 
Service Pack 1 Beta releases affected by this vulnerability? 
Windows 7 Service Pack 1 Beta and Windows Server 2008 R2 Service Pack 1 
Beta are affected by the vulnerability. Customers running these beta releases 
are encouraged to apply the workarounds described in this advisory.

I am using an older release of the software discussed in this security advisory. 
What should I do? 
The affected software listed in this advisory have been tested to determine 
which releases are affected. Other releases are past their support life cycle. 
For more information about the product lifecycle, visit the Microsoft Support 
Lifecycle Web site.

It should be a priority for customers who have older releases of the software 
to migrate to supported releases to prevent potential exposure to 
vulnerabilities. To determine the support lifecycle for your software release, 
see Select a Product for Lifecycle Information. For more information about 
service packs for these software releases, see Lifecycle Supported Service 
Packs.

Customers who require custom support for older software must contact their 
Microsoft account team representative, their Technical Account Manager, or 
the appropriate Microsoft partner representative for custom support options. 
Customers without an Alliance, Premier, or Authorized Contract can contact 
their local Microsoft sales office. For contact information, visit the Microsoft 
Worldwide Information Web site, select the country in the Contact Information 
list, and then click Go to see a list of telephone numbers. When you call, ask 
to speak with the local Premier Support sales manager. For more information, 
see the Microsoft Support Lifecycle Policy FAQ.

Top of section
 Mitigating Factors 

Mitigation refers to a setting, common configuration, or general best-practice, 
existing in a default state, that could reduce the severity of this issue. The 
following mitigating factors may be helpful in your situation: 

• An attacker who successfully exploited this vulnerability could gain the same 
user rights as the local user. Users whose accounts are configured to have 
fewer user rights on the system could be less impacted than users who 
operate with administrative user rights.
 
• When AutoPlay is disabled, the user would manually have to launch Windows 
Explorer or a similar application and browse to the affected folder of the 
removable disk.
 
• Blocking outbound SMB connections on the perimeter firewall will reduce the 
risk of remote exploitation using file shares.
 

Top of section
 Workarounds 

Workaround refers to a setting or configuration change that does not correct 
the underlying issue but would help block known attack vectors before you 
apply the update. Microsoft has tested the following workarounds and states 
in the discussion whether a workaround reduces functionality: 

• Disable the displaying of icons for shortcuts

Note Using Registry Editor incorrectly can cause serious problems that may 
require you to reinstall your operating system. Microsoft cannot guarantee 
that problems resulting from the incorrect use of Registry Editor can be 
solved. Use Registry Editor at your own risk. For information about how to edit 
the registry, view the "Changing Keys And Values" Help topic in Registry Editor 
(Regedit.exe) or view the "Add and Delete Information in the Registry" 
and "Edit Registry Data" Help topics in Regedt32.exe.

1.
 Click Start, click Run, type Regedit in the Open box, and then click OK
 
2.
 Locate and then click the following registry key:

HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
 
3.
 Click the File menu and select Export
 
4.
 In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click 
Save

Note This will create a backup of this registry key in the My Documents folder 
by default
 
5.
 Select the value (Default) on the right hand window in the Registy Editor. 
Press Enter to edit the value of the key. Remove the value, so that the value 
is blank, and press Enter.
 
6.
 Restart explorer.exe or restart the computer.
 

Impact of workaround.Disabling icons from being displayed for shortcuts 
prevents the issue from being exploited on affected systems. When this 
workaround is implemented, shortcut files and Internet Explorer shortcuts will 
no longer have an icon displayed.
 
• Disable the WebClient service 

Disabling the WebClient service helps protect affected systems from attempts 
to exploit this vulnerability by blocking the most likely remote attack vector 
through the Web Distributed Authoring and Versioning (WebDAV) client 
service. After applying this workaround, it will still be possible for remote 
attackers who successfully exploited this vulnerability to cause Microsoft 
Office Outlook to run programs located on the targeted user's computer or the 
Local Area Network (LAN), but users will be prompted for confirmation before 
opening arbitrary programs from the Internet.

To disable the WebClient Service, follow these steps:

1.
 Click Start, click Run, type Services.msc and then click OK.
 
2.
 Right-click WebClient service and select Properties.
 
3.
 Change the Startup type to Disabled. If the service is running, click Stop.
 
4.
 Click OK and exit the management application.
 

Impact of workaround. When the WebClient service is disabled, Web 
Distributed Authoring and Versioning (WebDAV) requests are not transmitted. 
In addition, any services that explicitly depend on the Web Client service will 
not start, and an error message will be logged in the System log. For example, 
WebDAV shares will be inaccessible from the client computer.

How to undo the workaround.

To re-enable the WebClient Service, follow these steps:

1.
 Click Start, click Run, type Services.msc and then click OK.
 
2.
 Right-click WebClient service and select Properties.
 
3.
 Change the Startup type to Automatic. If the service is not running, click 
Start.
 
4.
 Click OK and exit the management application.
 
 

Top of section
 Additional Suggested Actions 


For more information about this issue, see Microsoft Knowledge Base Article 
2286198.

• Protect your PC

We continue to encourage customers to follow our Protect Your Computer 
guidance of enabling a firewall, getting software updates and installing 
antivirus software. Customers can learn more about these steps by visiting 
Protect Your Computer.
 
• For more information about staying safe on the Internet, visit Microsoft 
Security Central.
 
• Keep Windows Updated

All Windows users should apply the latest Microsoft security updates to help 
make sure that their computers are as protected as possible. If you are not 
sure whether your software is up to date, visit Windows Update, scan your 
computer for available updates, and install any high-priority updates that are 
offered to you. If you have Automatic Updates enabled, the updates are 
delivered to you when they are released, but you have to make sure you 
install them.
 

Top of section
Other Information
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability 
information to major security software providers in advance of each monthly 
security update release. Security software providers can then use this 
vulnerability information to provide updated protections to customers via their 
security software or devices, such as antivirus, network-based intrusion 
detection systems, or host-based intrusion prevention systems. To determine 
whether active protections are available from security software providers, 
please visit the active protections Web sites provided by program partners, 
listed in Microsoft Active Protections Program (MAPP) Partners.

Top of section
Feedback
• You can provide feedback by completing the Microsoft Help and Support 
form, Customer Service Contact Us.
 

Top of section
Support
• Customers in the United States and Canada can receive technical support 
from Security Support. For more information about available support options, 
see Microsoft Help and Support.
 
• International customers can receive support from their local Microsoft 
subsidiaries. For more information about how to contact Microsoft for 
international support issues, visit International Support.
 
• Microsoft TechNet Security provides additional information about security in 
Microsoft products.
 

Top of section
Disclaimer
The information provided in this advisory is provided "as is" without warranty 
of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular purpose. 
In no event shall Microsoft Corporation or its suppliers be liable for any 
damages whatsoever including direct, indirect, incidental, consequential, loss 
of business profits or special damages, even if Microsoft Corporation or its 
suppliers have been advised of the possibility of such damages. Some states 
do not allow the exclusion or limitation of liability for consequential or 
incidental damages so the foregoing limitation may not apply.

Top of section
Revisions
• V1.0 (July 16, 2010): Advisory published.
 
• V1.1 (July 19, 2010): Clarified the vulnerability description and the "Is this a 
security vulnerability that requires Microsoft to issue a security update?" FAQ 
entry.
 

Top of section

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

August 2018
July 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
August 2013
June 2013
April 2013
March 2013
February 2013
January 2013
November 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010

ATOM RSS1 RSS2



LISTSERV.UNL.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager