Well the vulnerabilities threat profile has expanded:http://www.f-secure.com/weblog/archives/00001994.htmlIf the .lnk is inside a document windows will execute the code. Again..i hope this fizzles..if it doesn’t I want folks to be aware.
http://www.emmanuelcomputerconsulting.com/archives/2421
The podcast software crashed so I was able to make a written update to the post with the help of Arstechnica.com. Go checkout the updated post.
I am going to provide you with the summary from Ars Technica as it’s the clearest explanation of the problem I have seen:
The attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker’s choosing. Any Windows application that tries to display the shortcut’s icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited. Analysis suggests that the shortcuts are not improperly formed; rather they depend on a flaw in the way that Windows handles shortcuts to Control Panel icons.
The first reports of the problem came last month from Belorussian security company VirusBlokAda. The company found systems infected with the flaw through infected USB keys. The keys use the flaw to install a rootkit to hide the shortcuts, dubbed Stuxnet, including kernel-mode drivers, and a malicious payload. The rootkit is itself noteworthy: the drivers it installs are signed. The certificate used to sign them belongs to Realtek, suggesting that somehow the attackers have access to Realtek’s private key. The certificate used to sign the rootkit has now been revoked by Verisign.
The current in-the-wild attacks are using USB keys to distribute the shortcuts, but the attack could equally use network shares or local disks. The malware payload appears to be designed to specifically compromise the databases used by Siemens’ SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on. Siemens’ software uses hardcoded passwords, making attack particularly simple.
The best option for mitigating the flaw is to disable Windows’ ability to show shortcuts’ icons; details on how to do this are provided in Microsoft’s security bulletin. However, this mitigation comes at some cost; it removes all the icons from the Start menu, for example, which is sure to be detrimental to usability. Disabling Autorun provides slight protection, as it prevents Explorer windows from opening automatically when a USB key or CD is inserted.
This one has the potential to be very very bad. What I am going to do is put some of the links below. I am going to record a podcast tonight about this and have it posted in the next 24 hours. While the threat right now is low the potential for this one to explode is very very high. I do not get concerned about Windows exploits very often..this one has the very real potential to be on the scale of sasser, code red, or conficker. ECC is gearing up for this to be a widespread event and I am hoping it fizzles(which is dependent on a timely patch from Microsoft.) As of right now there is no anti-anything that will stop the .LNK vulnerability itself and any malware that appears WILL be able to leverage this before the a/v vendors can react as of right now. I am sure the security companies will be able to catch up..however we really need a patch from Microsoft on this one. The big problem for Microsoft is this is endemic to their ENTIRE codebase from Windows 95 on up. They have to now re-engineer every version of Windows to protect against this flaw. This is one time that if it takes Microsoft more than a week to come up with a fix there’s a very good reason. The following operating systems will NOT get a patch from Microsoft:
Windows 95
Windows 98
Windows ME
Windows NT
windows 2000(all versions)
Windows XP below SP3(this includes XP 64-bit which is now end of life..no support)
Windows VistaRTM (all versions). Vista SP1 is still supported until July 12 2011. You really should upgrade to SP2 of Vista.
I have some of the links below I have been following for this:
*UPDATE* Microsoft has posted their workaround. This nukes ALL shortcuts on the system though. If you want to guarentee your protection use this patch..but you won’t be able to easily launch anything.
*UPDATE 2*
There are several attack vectors. It can be triggered via a webpage. it may even be able to be done from within any browser…not just IE. I just just got done informing a client that this could have many more attack vectors due to this being a problem with the core of windows.
*UPDATE 4* Normally I advocate caution in major patches. This hole however is so important that i am going to immediately patch and then workaround any issues this is going to cause. Again on mOnday htis patch gets released. PATCH IMMEDIATLY!!! Read the previous advisories I posted about this here.
Windows has design issues…I have talked about it many many times. However it IS possible to have a malware free system. It’s really not that hard. You do need to change your behavior on how you operate your windows systems.
1. Have a security audit done if you’ve never had one done.
2. Don’t use IE. Unless you are technically savy just don’t. It’s the number one attack vector(via Activex).
3. Run Firefox or Google Chrome.
4. Don’t goto porn, warez, gambling..etc etc type sites. If it’s a red-light disctrict on land it’s the same in cyber-land. If you go to these places in cyber-land none of the above or below matter..you’ll be infected either immediately or very quickly. NO anti-anything will save you either.
5. Don’t buy into the anti-whatever $$$ trap. I haven’t run a/v on my systems in nearly a decade. We’ve had ONE system infection and it was my wife’s fault(by her own admission). If you are REQUIRED to run anti stuff get the cheapest you can find.
6. Never click a link in an e-mail until you check it. This can be a tricky subject. Hover your mouse(Don’t click any links) over the links and see if the address presented in the bottom bar matches the text of the link. If it doesn’t it’s a fake. Contact ECC for full details.
7. Remove admin rights from users. Self-explanatory.
8. Remove the ability for users to install ANYTHING. This can easily be done via group policy. (This and #7 are the 2 things you can do on a network to stop at least 90% of all malware infections)
9. Disable autorun. This nukes most infections from usb keys(flash drives, thumb drives..etc etc etc. Works great in conjunction with #8 and #7)
10. Ensure all systems are up to date with all security updates. Not just Windows and Office but every third party program on your systems. (This includes Acrobat, Flash, Java).
If you are running 32-bit xp you can install service pack3 and continue with support. If you are running 64-bit XP this operating system is now “dead”. No more patches of any kind. All versions of Windows 2000 are also now End Of Life. You need to move to Windows 7/server 2008 now before your systems become even bigger targets.
Support for Windows 2000 and Windows XP SP2 comes to an end.
Synchronizing Roaming Profiles Between a V1 & V2 Profile.
The news is..you can’t. So if you want to move to server 2008 and keep your profiles you have to stick with either xp and below(not a good long term solution) or have all vista and above machines. Users cannot roam between xp and vista/7 machines. I guess MS REALLY wants you to upgrade to vista/7 when you change your server to 2k8. ICK. So the best migration is to manually grab the DATA(but not the config files) form the old profile..ahve the client log into the new machine and then dump the files into that…still an ick. there are a FEW third party vendors that can migrate this via software but the costs could be substantial.
Microsoft has put out a winner this time. I have been running Windows 7 since the first beta. It runs perfectly on my old 1.6 ghz celeron notebook with 2 gigs of ram. Vista on the same machine was a horrid experience(yes Vista is that bad). The conventional wisdom is you wait for the first service pack. That has been true in the past(Vista not withstanding.). While Vista has had two service packs it’s still terribly slow. Windows 7 has had zero service packs and it runs great. I ahve seen signs of hte classic “Windows rot” in 7 though. I’ve been running my latest installation for about a year now and it’s getting flaky.
Bottom line:
If you are still hanging onto XP it’s time to move provided you have the correct hardware. IE9 among others are beginning to become Vista/7 products only. I call XP “functionally obsolete” as you are going to see more and more developers move away from XP even though technically Microsoft still “supports” XP(It is a 9 year old operating system). Even “older” hardware(aka see my notebook) can handle Windows 7 for light work.
Computer Security Research – McAfee Labs Blog.
This is an expansion of the most recent IE exploit. Now comes the analysis.
Allowing a system level file for windows(in this case a dll) be executable without any kind of security context is a really bad idea. That’s really all Activex is but there are several other DLL’s inside of IE that allow other DLL’s to be executed. In this case it was mshtml.dll. Mshtml.dll was the source of hte exploit and now a further analysis of the malware shows it uses it’s own dll to leverage this vulnerability.
ECC HIGHLY reccomends you do one of two things:
1. Simply don’t use IE at all
2. If you can’t(or won’t) at least get your security setup to wholesale blacklist dll’s at the firewall. This will break some sites that are coded for IE. Many of these sites will work under Firefox as well.
This was an exploit form back in ie6. It is present in all version up to 8. mshtml.dll once again has a major issue that allows remote sites to take over your machine. If you are running ie6, ie7, or ie8 you are vulnerable. HOWEVER if you have DEP turned on for ie 7 or 8 then the threat is reduced but not eliminated. This is also why you NEVER surf on a server. Frankly I am going to extend Microsoft’s advice. Raise ALL security levels to high except trusted sites…leave it at medium(for windows updates) then never launch IE again. I am being dead serious.
VIDEO OF EXPLOIT IN ACTION. Blow the video up to full screen then watch for a list that shows up at around 1 minute. Notice how notepad is running nicely. At around 1 minute 50 seconds the “hacker” issues a kill command followed by a number. That number is the notepad. watch as notepad goes boom..no warning..no notifications. This person has full control of your system..all because of a badly designed OS and browser. Notice the users on the right. Those are system processes..processes even the administrator does not have direct access to. I have said it over and over having a web browser tied so closely to the kernel is a bad idea. As long as IE exists in it’s current form Windows will NEVER be remotely secure.
Here’s the backstory. Apparently some Chinese folks(possibly the gov’t) started using this unknown security hole in IE to start trying to get into various activists that are opposed to the vast range of Chinese gov’t controls. They targeted Google because this is where these targeted activists had their mail. Google detected this activity and began a backtrace. They found out that multiple large companies had also been attacked using this issue. The story is continuing to unfold. The only fix available right now is to put all of your IE settings up to high. This has the effect of making IE unusable on the internet.
My recommendation: Use either google chrome or firefox. Don’t bother with IE anymore…at all. There’s so many links with full information I am not going to embed them into this post. The list follows.
*UPDATE* there are quite a few programs that idiotically use IE to operate. Now various exploit writers and researchers are hitting these as well. Many other programs are now falling over after being hit either with IE exploits or ones similar that are now being found in a rash of other software.
Google’s Initial Response disclosure of what was targeted and revelations of other companies hit
Microsoft’s confirmation and advisory.
(This list will continue to grow)
Mcafee has multiple postings:
*UPDATE* Itworld has much the same opinion of IE as I have had for a long time.
{ED7BA470-8E54-465E-825C-99712043E01C}
{00C6D95F-329C-409a-81D7-C46C66EA7F33}
{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}
{025A5937-A6BE-4686-A844-36FE4BEC8B6D}
{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}
{1206F5F1-0569-412C-8FEC-3204630DFB70}
{15eae92e-f17a-4431-9f28-805e482dafd4}
{17cd9488-1228-4b2f-88ce-4298e93e0966}
{1D2680C9-0E2A-469d-B787-065558BC7D43}
{1FA9085F-25A2-489B-85D4-86326EEDCD87}
{208D2C60-3AEA-1069-A2D7-08002B30309D}
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
{2227A280-3AEA-1069-A2DE-08002B30309D}
{241D7C96-F8BF-4F85-B01F-E2B043341A4B}
{4026492F-2F69-46B8-B9BF-5654FC07E423}
{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}
{78F3955E-3B90-4184-BD14-5397C15F1EFC}
via The Other 16 “GodModes” For Windows 7 – Tom’s Hardware.
here is how you activate them:
Step 1: Right click.
Step 2: Click create folder.
Step 3: Name your sparkly, new folder this, “<whatever you want>.{ED7BA470-8E54-465E-825C-99712043E01C}” and press enter.
so you could clal this ultimate shortcut number 1.(guid) or whatever you wanted it to be..:)
This is not for you XP folks but it is for Vista.
