Microsoft warns of critical unpatched Windows Shell vulnerability

[nsane.forums]

Microsoft issued a security bulletin on Friday to warn customers of a 0-day exploit involving the Windows Shell.

The vulnerability is caused due to an error in Windows Shell when parsing shortcuts (.lnk). The flaw can be exploited automatically by executing a program via a specially crafted shortcut. Certain parameters of the .lnk are not properly validated on load, resulting in the vulnerability. Microsoft says it has "seen only limited, targeted attacks on this vulnerability."

For the exploit to be successful it requires that users insert removable media (when AutoPlay is enabled) or browse to the removable media (when AutoPlay is disabled). According to Microsoft's advisory, exploitation may also be possible via network shares and WebDAV shares. Microsoft states that the exploit affects all Windows versions since Windows XP, including Windows 7. However, Security Researcher Chester Wisniewski of Sophos, reports that Windows 2000 and Windows XP SP2 (both unsupported by Microsoft) are affected by the flaw.

Sophos explain that the flaw bypasses all Windows 7 security mechanisms, including UAC, and doesn't require administrative privilege to run. In a blog posting, Sophos researchers demonstrate the flaw (see below) on Windows 7, which becomes infected with a rootkit as a result.

Microsoft says users could halt attacks by disabling icons for shortcuts and switching off the WebClient service. Unfortunately the suggestion is far from ideal for most corporate customers, disabling icon shortcuts will likely result in mass confusion for users and turning off the WebClient service will render Microsoft SharePoint useless. Microsoft has not confirmed when a patch will be made available for the issue. The company's next patch Tuesday is scheduled on August 10.

View: Original Article

[Lite]

New Windows Shortcut zero-day exploit confirmed

Reports have been circulating for a few weeks about a new attack being targeted at certain Windows users that used USB memory sticks to propagate. More details have now emerged, including confirmation from Microsoft that a new flaw exists and is being exploited.

The attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker's choosing. Any Windows application that tries to display the shortcut's icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited. Analysis suggests that the shortcuts are not improperly formed; rather they depend on a flaw in the way that Windows handles shortcuts to Control Panel icons.

The first reports of the problem came last month from Belorussian security company VirusBlokAda. The company found systems infected with the flaw through infected USB keys. The keys use the flaw to install a rootkit to hide the shortcuts, dubbed Stuxnet, including kernel-mode drivers, and a malicious payload. The rootkit is itself noteworthy: the drivers it installs are signed. The certificate used to sign them belongs to Realtek, suggesting that somehow the attackers have access to Realtek's private key. The certificate used to sign the rootkit has now been revoked by Verisign.

The current in-the-wild attacks are using USB keys to distribute the shortcuts, but the attack could equally use network shares or local disks. The malware payload appears to be designed to specifically compromise the databases used by Siemens' SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on. Siemens' software uses hardcoded passwords, making attack particularly simple.

The best option for mitigating the flaw is to disable Windows' ability to show shortcuts' icons; details on how to do this are provided in Microsoft's security bulletin. However, this mitigation comes at some cost; it removes all the icons from the Start menu, for example, which is sure to be detrimental to usability. Disabling Autorun provides slight protection, as it prevents Explorer windows from opening automatically when a USB key or CD is inserted.

Malware has used USB keys to spread before, but generally has leveraged Windows' AutoRun capability to trick users into executing the malicious software automatically. Newer versions of Windows have reduced the functionality of AutoRun to try to prevent such attacks. This use of specially-crafted shortcuts, however, undermines that protection.

Though the flaw is not itself suitable for worm-like propagation, it nonetheless represents a substantial threat to Windows systems. Microsoft has not yet made any announcement of when a patch will become available; the next Patch Tuesday is not until August 10, but if the threat is deemed severe enough a patch could be released at any time. All currently supported versions of Windows are vulnerable, including Windows 7.

Microsoft doesn't list Windows 2000 or Windows XP Service Pack 2 as vulnerable, but this is because they are no longer supported—they are just as vulnerable as more recent versions, but will not receive a patch.

View: Original Article

[ssj100]

Hi, I've done lots of testing of this vulnerability here:

http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1302

Any request of programs to test it against?