Well the vulnerabilities threat profile has expanded:http://www.f-secure.com/weblog/archives/00001994.htmlIf the .lnk is inside a document windows will execute the code.  Again..i hope this fizzles..if it doesn’t I want folks to be aware.

The podcast software crashed so I was able to make a written update to the post with the help of Arstechnica.com.  Go checkout the updated post.

The attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker’s choosing. Any Windows application that tries to display the shortcut’s icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited. Analysis suggests that the shortcuts are not improperly formed; rather they depend on a flaw in the way that Windows handles shortcuts to Control Panel icons.

The first reports of the problem came last month from Belorussian security company VirusBlokAda. The company found systems infected with the flaw through infected USB keys. The keys use the flaw to install a rootkit to hide the shortcuts, dubbed Stuxnet, including kernel-mode drivers, and a malicious payload. The rootkit is itself noteworthy: the drivers it installs are signed. The certificate used to sign them belongs to Realtek, suggesting that somehow the attackers have access to Realtek’s private key. The certificate used to sign the rootkit has now been revoked by Verisign.

The current in-the-wild attacks are using USB keys to distribute the shortcuts, but the attack could equally use network shares or local disks. The malware payload appears to be designed to specifically compromise the databases used by Siemens’ SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on. Siemens’ software uses hardcoded passwords, making attack particularly simple.

The best option for mitigating the flaw is to disable Windows’ ability to show shortcuts’ icons; details on how to do this are provided in Microsoft’s security bulletin. However, this mitigation comes at some cost; it removes all the icons from the Start menu, for example, which is sure to be detrimental to usability. Disabling Autorun provides slight protection, as it prevents Explorer windows from opening automatically when a USB key or CD is inserted.

This one has the potential to be very very bad.   What I am going to do is put some of the links below.  I am going to record a podcast tonight about this and have it posted in the next 24 hours.  While the threat right now is low the potential for this one to explode is very very high.  I do not get concerned about Windows exploits very often..this one has the very real potential to be on the scale of sasser, code red, or conficker.  ECC is gearing up for this to be a widespread event and I am hoping it fizzles(which is dependent on a timely patch from Microsoft.)  As of right now there is no anti-anything that will stop the .LNK vulnerability itself and any malware that appears WILL be able to leverage this before the a/v vendors can react as of right now.  I am sure the security companies will be able to catch up..however we really need a patch from Microsoft on this one.  The big problem for Microsoft is this is endemic to their ENTIRE codebase from Windows 95 on up.  They have to now re-engineer every version of Windows to protect against this flaw.  This is one time that if it takes Microsoft more than a week to come up with a fix there’s a very good reason. The following operating systems will NOT get a patch from Microsoft:

Windows 95

Windows 98

Windows ME

Windows NT

windows 2000(all versions)

Windows XP below SP3(this includes XP 64-bit which is now end of life..no support)

Windows VistaRTM (all versions).  Vista SP1 is still supported until July 12 2011.  You really should upgrade to SP2 of Vista.

I have some of the links below I have been following for this:

1

2

3

4

5

6

7

8

*UPDATE* Microsoft has posted their workaround.  This nukes ALL shortcuts on the system though.  If you want to guarentee your protection use this patch..but you won’t be able to easily launch anything.

*UPDATE 2*

http://www.twit.tv/sn258

There are several attack vectors.  It can be triggered via a webpage.  it may even be able to be done from within any browser…not just IE.  I just just got done informing a client that this could have many more attack vectors due to this being a problem with the core of windows.

*UPDATE 4* Normally I advocate caution in major patches.  This hole however is so important that i am going to immediately patch and then workaround any issues this is going to cause.  Again on mOnday htis patch gets released.  PATCH IMMEDIATLY!!!  Read the previous advisories I posted about this here.

1.  Have a security audit done if you’ve never had one done.

2.  Don’t use IE.  Unless you are technically savy just don’t.  It’s the number one attack vector(via Activex).

3.  Run Firefox or Google Chrome.

4.  Don’t goto porn, warez, gambling..etc etc type sites.  If it’s a red-light disctrict on land it’s the same in cyber-land.  If you go to these places in cyber-land none of the above or below matter..you’ll be infected either immediately or very quickly.  NO anti-anything will save you either.

5.  Don’t buy into the anti-whatever $$$ trap.  I haven’t run a/v on my systems in nearly a decade.  We’ve had ONE system infection and it was my wife’s fault(by her own admission).  If you are REQUIRED to run anti stuff get the  cheapest you can find.

6.  Never click a link in an e-mail until you check it.  This can be a tricky subject.  Hover your mouse(Don’t click any links) over the links and see if the address presented in the bottom bar matches the text of  the link.  If it doesn’t it’s a fake.  Contact ECC for full details.

7.  Remove admin rights from users.  Self-explanatory.

8.  Remove the ability for users to install ANYTHING.  This can easily be done via group policy. (This and #7 are the 2 things you can do on a network to stop at least 90% of all malware infections)

9.  Disable autorun.  This nukes most infections from usb keys(flash drives, thumb drives..etc etc etc.  Works great in conjunction with #8 and #7)

10.  Ensure all systems are up to date with all security updates.  Not just Windows and Office but every third party program on your systems.  (This includes Acrobat, Flash, Java).

There are some serious errors in this..i’ll address them inline.

Text below:

Windows Server vs. Linux

by Ellen Messmer

June 8, 2010 —

Which is better? Microsoft Windows Server or open-source Linux?

This debate arouses vehement opinions, but according to one IT consultant who spends a lot of time with both Windows and Linux, it’s a matter of arguing which server OS is the most appropriate in the context of the job that needs to be done, based on factors such as cost, performance, security and application usage.

7 Open Source innovations

“With Linux, the operating system is effectively free,” says Phil Cox, principal consultant with SystemExperts. “With Microsoft, there are licensing fees for any version, so cost is a factor.” And relative to any physical hardware platform, Linux performance appears to be about 25% faster, Cox says.

That’s at a minimum.  It’s often much higher.  Windows server core is an attempt to regain some of that base speed by jettisoning the gui.

Combine that with the flexibility you have to make kernel modifications, something you can’t do with proprietary Windows, and there’s a lot to say about the benefits of open-source Linux. But that’s not the whole story, Cox points out, noting there are some strong arguments to be made on behalf of Windows, particularly for the enterprise.

For instance, because you can make kernel modifications to Linux, the downside of that is “you need a higher level of expertise to keep a production environment going,” Cox says, noting a lot of people build their own packages and since there are variations of Linux, such as SuSE or Debian, special expertise may be needed.

Windows offers appeal in that “it’s a stable platform, though not as flexible,” Cox says. When it comes to application integration, “Windows is easier,” he says.

Windows most assuredly is NOT easier.  by the time you get to managing patches, default configuration tweaking, the layers of security you have to pile on to have a prayer of a chance to NOT get compromised…Linux is MUCH easier.  I can turn up a Linux server from ground zero to the base install in under an hour WITHOUT USING AN IMAGE.  Updates?  One run and one reboot..Windows?  It’ll be multiples of each…it goes on and on and on.

Windows access control “blows Linux out of the water,” he claims. “In a Windows box, you can set access-control mechanisms without a software add-on.”

He apparently hasn’t heard of chmod and chown.  You can do everything you want right from the cli.  I tend to use a package called Webmin which is installed from the command line and run from a web browser…i don’t have to pay the Windows gui performance tax.

Patching is inevitable with either Windows or Linux, and in this arena, Cox says that it’s easier to patch Windows. Microsoft is the only source to issue Windows patches. With Linux, you have to decide whether to go to an open-source entity for patches, for instance the one for OpenSSH, or wait until a commercial Linux provider, such as Red Hat, provides a patch.

OR you can use a community variant called Centos(to reference Redhat) which is non-commercial…OR you can use the granddaddy of Linux distros, Debian, who has the basis of many many other distributions.  You don’t have to go to openssl because the distros are hooked right into the package vendors.  Here’s one point the author missed…speed of patches.  Microsoft WON’T patch until there’s an active exploit outside of it’s monthly cycle.  Most Linux distros patch within 24 hours of release..24 HOURS..not DAYS or MONTHS…HOURS.  Let’s see Microsoft do that…and do it reliably with hosing it’s users systems that have gotten infested due to their continued bad design choices.

Microsoft presents a monolithic single point of contact for business customers, whereas “In Linux, you need to know where to go for what,” which makes it more complicated, Cox says. “There’s no such thing as a TechNet for Linux,” he says. Linux users need to be enthusiastic participants in the sometimes clannish open-source community to get the optimum results.

Oh and Microsofties aren’t clannish?  LOL!  Let me tell you something..if you don’t drink the Microsoft Kool-aid totally you won’t be in the MS forums and MS evangelists sites..trust me I know about this.

These kind of arguments may indicate why Windows Server continues to have huge appeal in the enterprise setting, though some vertical industries, such as financial firms, have become big-time Linux users.

The only reason Windows keeps hanging around like a fungus is because the third party app vendors have not yet started coding for Linux in large numbers yet…that’s coming.  Once folks can see the advantages to Linux MS will have to tighten up their code or die.

Linux and open-source applications are popular in the Internet-facing extranet of the enterprise, Cox notes. And Linux has become a kind of industrial technology for vendors which use it in a wide range of products and services — for instance Amazon’s EC2 computing environment data centers rely on Xen-based Linux servers.

Know why?  Security is one, reliability is another, patching is stupid easy(run updates on live system. if no kernel updates no reboot needed..at all).  Windows hangs around right now because third party vendors aren’t coding…yet. MS right now does have it’s place and i will recommend windows on the back only when it’s truly necessary. The comments on this article do a far better job of eviscerating the author than I do..:)

here are the instructions as noted in the article:

To reduce the size of the log file, use the following steps. A full server backup is recommended first.

1. Open notepad and Copy and paste the following text into notepad. Save the file as c:\logshrink.sql

declare @ConfigDB varchar(255);
declare @ConfigDBLog varchar(255);
declare @ConfigDBCmd varchar(255);
select @ConfigDB = name from sys.databases where name like ‘SharePoint_Config_%’;
set @ConfigDBCmd = ‘BACKUP database [' + RTRIM(@ConfigDB) + '] to disk=”C:\windows\temp\before.bkf”’;
execute(@ConfigDBCmd);
set @ConfigDBCmd = ‘use [' + RTRIM(@COnfigDB) + ']‘;
execute(@ConfigDBCmd);
set @ConfigDBCmd = ‘BACKUP LOG [' + RTRIM(@ConfigDB) + '] WITH TRUNCATE_ONLY’;
execute(@ConfigDBCmd);
set @ConfigDBCmd = ‘use [' + RTRIM(@COnfigDB) + ']‘;
execute(@ConfigDBCmd);
select @ConfigDBLog = name from sys.database_files where name like ‘SharePoint_Config%_log’;
set @ConfigDBCmd = ‘use [' + RTRIM(@ConfigDB) + '] DBCC SHRINKFILE([' + RTRIM(@ConfigDB) + '_log],1)’;
execute(@ConfigDBCmd);
set @ConfigDBCmd = ‘BACKUP database [' + RTRIM(@ConfigDB) + '] to disk=”C:\windows\temp\after.bkf”’;
execute(@ConfigDBCmd);
go

2. Open an elevated command prompt and run the following command:sqlcmd -S \\.\pipe\mssql$microsoft##ssee\sql\query -E -i c:\logshrink.sql

I had to run it twice to get the file back down to a reasonable size.

This is an expansion of the most recent IE exploit.  Now comes the analysis.

Allowing a system level file for windows(in this case a dll) be executable without any kind of security context is a really bad idea.  That’s really all  Activex is but there are several other DLL’s inside of IE that allow other DLL’s to be executed.  In this case it was mshtml.dll.  Mshtml.dll was the source of hte exploit and now a further analysis of the malware shows it uses it’s own dll to leverage this vulnerability.

ECC HIGHLY reccomends you do one of two things:

1.  Simply don’t use IE at all

2.  If you can’t(or won’t) at least get your security setup to wholesale blacklist dll’s at the firewall.  This will break some sites that are coded for IE.  Many of these sites will work under Firefox as well.