Monday, July 19, 2010

New Windows vulnerability discovered - be careful with those USB sticks!

Microsoft posted information late last week about a vulnerability in Windows, that can mean that merely loading a USB memory stick onto your PC can cause bad things to happen. Basically, if the file that contains the little picture (icon) that shows up in Windows Explorer is "infected", it can cause whatever bad code that the attackers have attached to the icon file to be executed. At that point your system is pwnd 8^) and they can do whatever they want to it.

At the moment there is no fix and the workarounds are fairly technical. More information and details can be found at The H Security page as well as Microsoft's Security Advisory about it. So until MS releases a patch, be extremely careful about loading USB memory sticks onto your PC or laptop - know where they came from. Don't take candy or USB drives from strangers!

7/19 update: SANS has raised their Infocon Alert level to Yellow just because of the Shortcut bug.

7/20 update: This flaw has gotten more press than anything I remember seeing since the Conficker worm, which happened shortly after I started this blog. Furthermore, more than one industry expert is saying that this flaw is not easily fixable... I've been doing some more research on it, and despite first deciding that I would not make any modifications to my machines to protect against it, just a while ago I changed my mind and made the two mods recommended by Microsoft to my Windows 7 work laptop. One of the mods is to delete a Windows registry key (after making a backup of it), which will suppress the display of icons on shortcuts in Windows Explorer (thus precluding running malicious code that might be embedded in the icon file).

The other is to disable (and stop, if it's already running) a Windows "service" called WebClient, using the services.msc application. (In all likelihood you do not need this service running, unless you utilize the "WebDAV Client Service", which has to do with the interoperability of web page authoring tools. Or something like that.)

As I said before these mods are not the sort of thing that most people do often or even at all with their Windows installations, but if you follow the instructions carefully in the Microsoft Security Advisory, you should be fine. As long as you make the backup of the registry key as described in that document, both actions are reversible, and I therefore recommend doing them.

No comments:

Post a Comment