Proof of concept exploit code for the recently-revealed zero-day vulnerability in all versions of Windows has been made public on exploit-db.com. This means that, while attacks using it so far have been limited and targeted, they will soon be more widespread.
The good side is that public exploit code will also help researchers and users to provide effective defenses. Didier Stevens has done this by testing his own Ariad tool on it and confirming that it blocks the exploit. Ariad is a minifilter driver which blocks specific classes of files, now including .LNK files, from USB sticks. Stevens calls Ariad “beta” but it’s been around over a year and he intimates that it’s quite stable. If you’re continuing to run Windows XP SP2 even though Microsoft has stated that it will no longer provide security updates for it, tools like Ariad could be a good alternative.
For managed networks, Chet Wisniewski of Sophos has a tip for using Group Policy to restrict program execution to hard drives. This can be overly-restrictive, for instance if you have to execute programs off network shares, but this too can be addressed in Group Policy. Good work Chet; this may be a policy worth keeping even after the patch comes out.
Hat tip to F-Secure’s News from the Lab.
F-Secure also notes an inconsistency in Microsoft’s advisory on the matter. Microsoft suggests that you have to explicitly browse the removable drive in order to be vulnerable, but other sources, including Microsoft’s own Malware Protection Center, say that the AutoPlay dialog box from inserting such a drive can also execute the code. The advisory may be confused, as I have been in the past, on the distinction between AutoPlay and AutoRun.
View full post on Security Watch
Related Posts
- ‘Dangerous’ iPhone exploit code goes public
Minutes after Apple issued a security update, the maker of a 10-day-old jailbreak exploit released code that others could put to use hijacking iPhones, iPod Touches and iPads.
View full post on Com... - autorun.inf and .lnk Malware (NOT ‘Vulnerability in Windows Shell Could Allow Remote Code Execution’ 2286198), (Wed, Jul 21st)
Note that this malware does NOT exploit 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198. It simply uses the autorun.inf to launch the executable, or waits for the user to do... - Code for Shortcut Zero-Day Exploit is Public
If you're not following Mikko's Twitter feed, you may have missed yesterday's news that public proof of concept exploit code for the Windows shortcut (.lnk) vulnerability has been released on ... - Windows ‘shortcut’ attack code goes public
A security researcher on Sunday published a working exploit of a critical Windows vulnerability, making it more likely that attacks will spread.
View full post on Computerworld Security News... - Adobe delays Reader patch as attacks spread, exploit code goes public
Adobe will patch a critical Flash bug on Thursday, but has decided to postpone a fix for an associated flaw in the Reader PDF viewer until the end of the month, the company said late Monday.
View f... - After buggy patch, criminals exploit Windows flaw
Online criminals are scanning the Internet and attacking Windows 2000 machines that haven't had a recent Windows Media Service patch installed, Symantec said Wednesday.
View full post on Network Wo... - After buggy patch, criminals exploit Windows 2000 flaw
Online criminals are scanning the Internet and attacking Windows 2000 machines that haven't had a recent Windows Media Service patch installed, Symantec said Wednesday.
View full post on Computerwo... - Newest unpatched Windows flaw a variation on 2004 problem
Microsoft has issued a security bulletin warning of a new unpatched Windows vulnerability affecting all Windows versions from Windows XP through to Windows 7, except for Server... - Researcher releases attack code for just-patched Windows bug
Attack code for a Windows vulnerability that Microsoft patched last week was released by a researcher one day after the company fixed the flaw.
Full story: Computerworld Security News... - Windows 0-day exploit: Q&A session
Here is a Q&A session to address some questions we have received since yesterday:1) What versions of Microsoft Windows are affected by this flaw?The released exploit hit only Windows Vista and Window...
Posted on 20 July 2010. Tags: .LNK, Code, Exploit, flaw, Public, Windows
There is a patch for shell32.dll for older OS’es:
http://nemesis.te-home.net/News/20100720_Patch_for_0day__LNK_file_handling_vulnerability.html