The story
continues. Microsoft released their Security Advisory with workarounds
regarding the „ .lnk vulnerability “ described in our previous blog post. To help you protect your systems, here are
the two official workarounds, or you can visit the official Microsoft website
to find the whole article:
Microsoft Security Advisory (2286198)
http://www.microsoft.com/technet/security/advisory/2286198.mspx
Disable the
displaying of icons for shortcuts
Note Using Registry Editor incorrectly
can cause serious problems that may require you to reinstall your operating
system. Microsoft cannot guarantee that problems resulting from the incorrect
use of Registry Editor can be solved. Use Registry Editor at your own risk. For
information about how to edit the registry, view the "Changing Keys And
Values" Help topic in Registry Editor (Regedit.exe) or view the "Add
and Delete Information in the Registry" and "Edit Registry Data"
Help topics in Regedt32.exe.
|
1.
|
Click Start,
click Run, type Regedit in the Open box, and then click OK
|
|
2.
|
Locate and
then click the following registry key:
HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
|
|
3.
|
Click the File
menu and select Export
|
|
4.
|
In the
Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save
Note This will create a backup of this registry key in the My
Documents folder by default
|
|
5.
|
Select the
value (Default) on the right hand window in the Registy Editor. Press Enter
to edit the value of the key. Remove the value, so that the value is blank,
and press Enter.
|
|
6.
|
Restart
explorer.exe or restart the computer.
|
Impact of
workaround.Disabling
icons from being displayed for shortcuts prevents the issue from being exploited
on affected systems. When this workaround is implemented, shortcut files and
Internet Explorer shortcuts will no longer have an icon displayed.
Disable the
WebClient service
Disabling
the WebClient service helps protect affected systems from attempts to exploit
this vulnerability by blocking the most likely remote attack vector through the
Web Distributed Authoring and Versioning (WebDAV) client service. After
applying this workaround, it will still be possible for remote attackers who successfully
exploited this vulnerability to cause Microsoft Office Outlook to run programs
located on the targeted user's computer or the Local Area Network (LAN), but
users will be prompted for confirmation before opening arbitrary programs from
the Internet.
To disable
the WebClient Service, follow these steps:
|
1.
|
Click Start,
click Run, type Services.msc and then click OK.
|
|
2.
|
Right-click
WebClient service and select Properties.
|
|
3.
|
Change the
Startup type to Disabled. If the service is running, click Stop.
|
|
4.
|
Click OK
and exit the management application.
|
Impact of
workaround. When
the WebClient service is disabled, Web Distributed Authoring and Versioning
(WebDAV) requests are not transmitted. In addition, any services that
explicitly depend on the Web Client service will not start, and an error
message will be logged in the System log. For example, WebDAV shares will be
inaccessible from the client computer.
These were
the official Microsoft workarounds.
However,
there seems to exist also another solution: deploying a GPO that denies running the executable files from all but C
drive. This should solve the problem, however, it could be largely
uncomfortable (but safe) for users and is recommended only for experienced
administrators.
Thanks to Peter
Gramantik
Related Posts
- Dangerous Flash Drives
And here it comes again. You though, that turning the “auto-run” feature
for removable drives off is sufficient and no “Worm/Autorun” can harm you again. And I bet you are pretty sure
about it. I’m so... - Dangerous Flash Drives – The End(?)
The vulnerability described in our previous two blog posts is closed. Microsoft released the patch with the “Critical“ severity and it is also part of the Automatic Updates.
Patch details
Mor... - Adobe Flash, The Spy in Your Computer – Part 5
I didn’t expect a part 5, but here it is! Adobe has announced that they will be making some significant changes to Flash. In a blog post http://blogs.adobe.com/flashplatform/2011/01/on-improvin... - Kate Middleton has a blog, and some Fake AV
Ah, Kate. When she isn't waving at babies, mingling with the commoners or appearing on Tumblrs she likes to set down some thoughts on her blog located at katemiddleton997(dot)typepad(dot)com:Click to ... - Six Months, Six Providers and IPv6
This winter, the Internet passed a major milestone in its twenty-year-old wunderkind evolution from a small, experimental research network to one of the technical foundations of modern society. In a b... - Flash Player Update available
Just a short notice on the now available Adobe Flash Player Update: Version 10.2.159.1 has been released which fixes the critical security vulnerability which allow attackers to infect computers with ... - Adobe to Patch Flash Zero Day on Windows, Mac on Friday
Adobe is planning to patch the recently disclosed Flash Player vulnerability on Friday for users on Windows, Mac OS X and Linux. The vulnerability is being used in targeted attacks right now that use ... - Adobe plans Flash Player Update tomorrow
This is good news – for the recently acknowledged zero-day security vulnerability within Adobe Flash Player, Acrobat and Reader there will be a first update available tomorrow. Adobe updated the... - Analysis of the New Adobe Flash Attacks
When Adobe warned customers earlier this week about a newly discovered vulnerability in the Flash Player software, company officials said that there were already attacks underway against the bug. Thos... - Another Adobe Flash Zero-Day Found, Embedded in Word Documents
An exploit for another zero-day vulnerability in Adobe Flash Player was very recently found just a couple of weeks after Adobe patched a similar critical vulnerability, which was actively exploited an...
Posted on 09 February 2011. Tags: dangerous, Drives, flash, Part
