Microsoft has issued an emergency patch (MS10-046) for the .LNK file vulnerability (CVE-2010-2568).
I’m releasing two small tools I developed to help me investigate this vulnerability.
First one is a 010 Editor template file for the .LNK binary file format.
Second one is a ClamAV signature file to find all .LNK shortcuts that load a DLL (malicious or benign).
To scan your drive C, issue command
clamscan.exe -d LNK-CPL-CVE-2010-2568.ndb -l scan.log -r c:\
Quickpost info
View full post on Didier Stevens
Related Posts
- Quickpost: .LNK Template Update
I updated my .LNK template with info I got from comments from WndSks and Forrest Gump. This new version identifies well-known Shell GUIDs:
Quickpost info
View full post on Didier Steven... - 4 Free Tools to Detect Local Insecure Browser Plugins
Pursuing vulnerabilities in local software that is accessible through the web browser has been an effective attack vector. The following 4 free tools can help you identify locally-installed browser pl... - 3 Tools to Scan the File System With Custom Malware Signatures
When analyzing malware discovered during a security incident, the investigator often formulates indicators of compromise (IOCs): the signs of infection that can help the enterprise determine what sys... - Egypt, FinFisher intrusion tools and ethics
There's unrest in Egypt, Tunisia, Libya, Bahrain and elsewhere in the Arab world.Two days ago, protestors in Nasr, Egypt took over the Headquarters of the Egyptian State Security.Inside the HQ... - Fake System Tools Spread to Japan
Late last year, we talked about how fake system diagnostic tools were becoming the next step in the evolution of FAKEAV malware. These variants started to affect Japanese users as well.
Fake system d... - Quickpost: “It Does No Harm…” or Does It?
You often read about people who use many different security applications to protect their systems. Not only anti-virus, anti-spyware, firewall, HIPS, …, but also some other tools like anti-keyl... - Quickpost: Checking ASLR
Some people asked me for a simple way to check shell extensions for their ASLR support. You can do this with Process Explorer.
Start Process Explorer, and set the lower pane to display DLLs. Select p... - Quickpost: Adobe Reader X
In case you’ve not read Adobe’s announcement: Adobe Reader X is out. Use Adobe’s FTP server if you want to avoid their download manager.
Protected Mode Adobe Reader comes with a sand... - Malware removal tools, anyone?
When good things go wrong.
Source: MalwareCity Blog... - Microsoft delivers Windows 7 SP1 blocking tools
Microsoft has issued tools that let enterprises block the distribution of Windows 7 Service Pack 1 (SP1) when the upgrade launches next year.
Source: Computerworld Security News...
Posted on 09 August 2010. Tags: .LNK, Quickpost, Tools
