MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

Summary: Microsoft has released a "fix-it" tool as a stop-gap to block ongoing zero-day attacks against a new code execution flaw in Windows Shell.

SHARE:

Microsoft has released a "fix-it" tool as a stop-gap to block ongoing zero-day attacks against a new code execution flaw in Windows Shell.

The attacks, which incorporate signed drivers from RealTek and JMicron, are spreading locally via malicious USB drives or remotely via network shares and WebDAV.

Microsoft has posted a pre-patch advisory that spells out the problem:follow Ryan Naraine on twitter

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.

The flaw could also be exploited to launch drive-by downloads against users Windows running Internet Explorer:

An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents).

In the absence of a patch, Microsoft is recommending that users run the automated "Fix-It" tool to disable the vulnerable .LNK and .PIF file functionality Windows machine.

Topics: Operating Systems, Microsoft, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

85 comments
Log in or register to join the discussion
  • Someone should tell MS

    "The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability .."<br><br>That and the rest, total bull - sorry. So, Microsoft has again(?) a shortcut to execute links, etc, separate from other execution which would not let this happen? And this is the problem with Windows, it like a huge patchwork - no common methods but a huge pile of APIs, objects, methods instead of a small set of basic functions. Every time anything new comes or even old is changed, there will be whole new "subsystem" to do it - and more problems?
    tuomo@...
    • This is a bug in Explorer.

      @tuomo: Nothing more.
      ye
      • Aaaah...

        @ye

        So that means it's of no consequence, right?

        I knew it, it's a lot of fuss about nothing.
        OS Reload
      • Not according to the unofficial ZDNet talkback criteria.

        @OS Reload: It fails a few of them:

        1. It is not remotely exploitable.
        2. It requires user interaction.
        3. It does not have administrative rights.

        Essentially this buy is nothing more than a bug in any other program. It just happens to be Explorer.
        ye
    • RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

      @ye:

      " It is not remotely exploitable."

      ...until WebDAV gets involved. ;)
      Random_Walk
  • Microsoft Windows = Insecure; Mac OS X = Secure;

    It pains me that I have so many good friends and relatives who still insist on using Microsoft products. Week after week, it's the same story from Microsoft: "Oh, here's a temporary patch until the next patch Tuesday."<br><br>I would like everyone who reads these articles to ask themselves: When was the last time that Apple issued such a work-around for a critical issue? Never! Apple products are so secure that this nonsense isn't even necessary!
    Trolleur
    • "design" price premium

      @Trolleur

      OK, I'll switch to Apple. Just send me at least $1,000 to cover the difference between comparable machines - you know, that "design" premium - and I'll gladly switch over to your perfect platform of choice. Oh, and that's just for a desktop computer; more $$ will be required to replace the rest of the products in my digital world with their Apple counterpart.
      confuxion
      • RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

        @confuxion
        I'll second that! I was going to tell Trolleur the same thing but you beat me to it. If Apples were more affordable, I would consider switching but, after checking out the pricetags on Mac Pros just last year, it will definitely be a while. In a meantime, I'll keep on using my seven Windows machines.
        jedikitty@...
      • RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

        @confuxion I also heard that if I buy an Apple computer I would have to re-train myself in using the mouse-pad because apparently all these years I was doing it the wrong way. I also cannot touch Apple computers in one special place. If I do it the internet does not work anymore,,,
        pupkin_z
      • RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

        @confuxion I take it you're ignoring TCO then? Yeah, thought so.

        What are these products you have that need replacing? I'd be surprised if you had much that didn't work with the Mac...

        Still I'd admit "just get a Mac" is hardly the most easy to follow or helpful advice. But getting a Mac doesn't mean you'd need to win the lottery either.
        Jeremy-UK
      • @Jeremy-UK

        TCO? Oh, how silly of me to not consider TCO! I'm an individual, not a Fortune-500 company trying to save a few million by analyzing TCO on a huge bulk purchase. The up-front cost of the product is pretty much what I'm concerned with.

        As for the products that need replacing, I was referring to switching to Apple for everything I buy - routers, smart phones, PMP's/MP3 players, monitors, etc. If I were to buy Apple-only for these types of devices, the "design" price premium would be even higher than the approx. $1k I'd need for replacing just the desktop computer. I wasn't referring to compatibility issues.

        And yes, it's true that I don't need to win the lottery to go all-Apple. But just so we're clear, that difference between Apple and non-Apple products I referred to is, in fact, enough to break the bank for an average Joe like me.
        confuxion
      • I had to replace my monitor adapters.

        @Jeremy-UK: [i]What are these products you have that need replacing? I'd be surprised if you had much that didn't work with the Mac...[/i]

        The mini-DVI to DVI and VGA adapters for my 2nd generation MacBook would not work with my new MacBook Pro. I had to buy mini-displayport versions for the new computer. Any firewire cables will need to be replaced too as the new system has FW800 versus FW400.

        And that's just replacing a Mac with a new Mac.
        ye
      • RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

        @confuxion
        I instead use Linux, that is free (no $$$) and makes me free (yokeless), and I have all the programs I need, I can even have virtualbox running any OS I want. And I dont have to worry about virus, patches on all the programs i have. I only do apt-get update, apt-get upgrade.
        orendon
      • Linux is free

        But I suspect @confuxion wouldn't be satisfied with that, either.<br><br>Enjoy your Ballmer soup.
        ahh so
    • RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

      @Trolleur
      So there are never any patches for the Mac OS??
      Orangy
      • RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

        @Orangy

        Because OS X is so exceedingly secure, you never see Apple releasing stop-gap measures to fix critical issues. I challenge you to find a single Apple advisory that describes a work-around for an exploitable condition; you won't be able to!
        Trolleur
      • RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

        @Orangy There are patches. But Apple don't have the same "drum beat" update procedure as Microsoft.

        Microsoft release patches on the first Tuesday of each month. They do this so customers know it's happening, and can plan for this (so they can test patches with their production environment before rolling it out).

        Apple don't do this. Apple release patches when they are ready.

        Of course, you can't plan for that.

        However, one of Microsoft's problems is "the bad guys" know about this schedule too, and they wait for the patches to reverse engineer exploits (if you can see what the patch does you can possibly discover what the problem is it is addressing). They then rush these out while the rest of the world is either: Testing the patches, or hasn't applied to patches yet.

        Apple doesn't do this.

        As you can see there are pros and cons to both approaches.

        Sometimes (like this one) there is an exploit in the wild that means that Microsoft can't wait for normal patch time. Microsoft try to minimise these times as they are a huge pain for customers.

        If you're running Mac OS X you should keep up with the patches.
        Jeremy-UK
      • No, they do not.

        @Jeremy-UK: <i>Apple release patches when they are ready.</i><br><br>Security update 10.6.4 included over 20 security patches. Are you telling me Apple finished all 20+ security patches on the same day? Unlikely.

        [i]However, one of Microsoft's problems is "the bad guys" know about this schedule too, and they wait for the patches to reverse engineer exploits...[/i]

        Please explain how releasing patches on a schedule makes it easier for the bad guys to reverse engineer a patch as compared to releasing a patch at some undetermined time. I don't see it being any less/hard.
        ye
      • RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

        @ Trolleur
        Actually Apple does not release stop-gap mesures to try to send a temporary fix before a more permanent solution can be found because they are too busy saying that the issues are in the minds of their consumers...
        Ceridan
    • RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

      @Trolleur - I think you're wrong, but your name likely says all we need to know...

      I love my Mac Pro and running Snow Leopard, but Windows uses more technology to guard against malicious code execution than is in Mac OS. It's just so many people hacking Windows means someone is going to get in...
      macpipkin