Friday, July 23, 2010

Update on MS Shortcut Flaw

Details and corrections about how this vulnerability works and the seriousness of it continue to come out in the infosec world. Episode 258 of the Security Now! podcast lays it out pretty well. Some key points:
  • Microsoft has updated their Security Advisory at least twice this week; it now points to a Knowledge Base article that has a "Fix it" thing you can click on to make the two changes I described in the last post about this. They have also substantially revised their analysis of the flaw - originally it was thought that the AutoPlay/Autorun feature had to be turned on but as we know now, just viewing a shortcut in Windows Explorer can trigger malware if it exists.
  • It is apparently possible that even shortcuts embedded in documents (e.g. MS Word files), emails, or web pages could be used as vectors... Think about that for moment - yow!
  • The SN podcast also points to a Didier Stevens blog post that describes how to use Software Restriction Policies in Windows to combat the flaw. However, it's probably a more advanced "hack" than the ones already described, and you can really screw stuff up if you don't know what you're doing with Policies. I have managed to configure two systems I have (one XP, one Win7) successfully with these changes, and tested it on one of them by trying to run an executable on a thumb drive that I have mounted... The application is blocked and a message comes up saying so.
The big question is how and when Microsoft will fix this. But - no matter what they do - older versions of Windows (e.g. Windows 2000 and XP SP2) are no longer being updated by MS with patches, so unless they make an exception for this very serious flaw, some systems will never be safe from this (unless a 3rd party makes some kind of widget available that blocks it).

Friday 7/30 update: MS has announced that they'e going to release an out-of-cycle patch next week for this. Details are in the MS Security blog.

No comments:

Post a Comment