ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

MS ships temporary 'fix-it' for Windows shortcut zero-day attacks

By | July 21, 2010, 11:55am PDT

Summary: Microsoft has released a “fix-it” tool as a stop-gap to block ongoing zero-day attacks against a new code execution flaw in Windows Shell.

Microsoft has released a “fix-it” tool as a stop-gap to block ongoing zero-day attacks against a new code execution flaw in Windows Shell.

The attacks, which incorporate signed drivers from RealTek and JMicron, are spreading locally via malicious USB drives or remotely via network shares and WebDAV.

Microsoft has posted a pre-patch advisory that spells out the problem:follow Ryan Naraine on twitter

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.

The flaw could also be exploited to launch drive-by downloads against users Windows running Internet Explorer:

An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents).

In the absence of a patch, Microsoft is recommending that users run the automated “Fix-It” tool to disable the vulnerable .LNK and .PIF file functionality Windows machine.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Microsoft Corp., Ryan Naraine, Zero-day Bug, Microsoft Windows, Operating Systems, Software

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

85
Comments
Add Your Opinion

Join the conversation!

Just In

Win2K slamfest
yet_another 3rd Aug 2010
This should bring out at least a casual "Oh Dear" from those still running Win2K (Pro & Svr).
View in thread
0 Votes
+ -
Someone should tell MS
tuomo@... Updated - 21st Jul 2010
"The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability .."

That and the rest, total bull - sorry. So, Microsoft has again(?) a shortcut to execute links, etc, separate from other execution which would not let this happen? And this is the problem with Windows, it like a huge patchwork - no common methods but a huge pile of APIs, objects, methods instead of a small set of basic functions. Every time anything new comes or even old is changed, there will be whole new "subsystem" to do it - and more problems?
0 Votes
+ -
This is a bug in Explorer.
ye 21st Jul 2010
@tuomo: Nothing more.
0 Votes
+ -
Aaaah...
OS Reload 21st Jul 2010
@ye

So that means it's of no consequence, right?

I knew it, it's a lot of fuss about nothing.
0 Votes
+ -
Not according to the unofficial ZDNet talkback criteria.
ye 21st Jul 2010
@OS Reload: It fails a few of them:

1. It is not remotely exploitable.
2. It requires user interaction.
3. It does not have administrative rights.

Essentially this buy is nothing more than a bug in any other program. It just happens to be Explorer.
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
Random_Walk 27th Jul 2010
@ye:

" It is not remotely exploitable."

...until WebDAV gets involved. wink
0 Votes
+ -
Microsoft Windows = Insecure; Mac OS X = Secure;
Trolleur Updated - 21st Jul 2010
It pains me that I have so many good friends and relatives who still insist on using Microsoft products. Week after week, it's the same story from Microsoft: "Oh, here's a temporary patch until the next patch Tuesday."

I would like everyone who reads these articles to ask themselves: When was the last time that Apple issued such a work-around for a critical issue? Never! Apple products are so secure that this nonsense isn't even necessary!
0 Votes
+ -
"design" price premium
confuxion 21st Jul 2010
@Trolleur

OK, I'll switch to Apple. Just send me at least $1,000 to cover the difference between comparable machines - you know, that "design" premium - and I'll gladly switch over to your perfect platform of choice. Oh, and that's just for a desktop computer; more $$ will be required to replace the rest of the products in my digital world with their Apple counterpart.
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
jedikitty@... Updated - 21st Jul 2010
@confuxion
I'll second that! I was going to tell Trolleur the same thing but you beat me to it. If Apples were more affordable, I would consider switching but, after checking out the pricetags on Mac Pros just last year, it will definitely be a while. In a meantime, I'll keep on using my seven Windows machines.
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
pupkin_z 21st Jul 2010
@confuxion I also heard that if I buy an Apple computer I would have to re-train myself in using the mouse-pad because apparently all these years I was doing it the wrong way. I also cannot touch Apple computers in one special place. If I do it the internet does not work anymore,,,
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
Jeremy-UK 21st Jul 2010
@confuxion I take it you're ignoring TCO then? Yeah, thought so.

What are these products you have that need replacing? I'd be surprised if you had much that didn't work with the Mac...

Still I'd admit "just get a Mac" is hardly the most easy to follow or helpful advice. But getting a Mac doesn't mean you'd need to win the lottery either.
0 Votes
+ -
@Jeremy-UK
confuxion 21st Jul 2010
TCO? Oh, how silly of me to not consider TCO! I'm an individual, not a Fortune-500 company trying to save a few million by analyzing TCO on a huge bulk purchase. The up-front cost of the product is pretty much what I'm concerned with.

As for the products that need replacing, I was referring to switching to Apple for everything I buy - routers, smart phones, PMP's/MP3 players, monitors, etc. If I were to buy Apple-only for these types of devices, the "design" price premium would be even higher than the approx. $1k I'd need for replacing just the desktop computer. I wasn't referring to compatibility issues.

And yes, it's true that I don't need to win the lottery to go all-Apple. But just so we're clear, that difference between Apple and non-Apple products I referred to is, in fact, enough to break the bank for an average Joe like me.
0 Votes
+ -
I had to replace my monitor adapters.
ye 22nd Jul 2010
@Jeremy-UK: What are these products you have that need replacing? I'd be surprised if you had much that didn't work with the Mac...

The mini-DVI to DVI and VGA adapters for my 2nd generation MacBook would not work with my new MacBook Pro. I had to buy mini-displayport versions for the new computer. Any firewire cables will need to be replaced too as the new system has FW800 versus FW400.

And that's just replacing a Mac with a new Mac.
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
orendon 22nd Jul 2010
@confuxion
I instead use Linux, that is free (no $$$) and makes me free (yokeless), and I have all the programs I need, I can even have virtualbox running any OS I want. And I dont have to worry about virus, patches on all the programs i have. I only do apt-get update, apt-get upgrade.
0 Votes
+ -
Linux is free
ahh so Updated - 22nd Jul 2010
But I suspect @confuxion wouldn't be satisfied with that, either.

Enjoy your Ballmer soup.
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
Orangy 21st Jul 2010
@Trolleur
So there are never any patches for the Mac OS??
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
Trolleur 21st Jul 2010
@Orangy

Because OS X is so exceedingly secure, you never see Apple releasing stop-gap measures to fix critical issues. I challenge you to find a single Apple advisory that describes a work-around for an exploitable condition; you won't be able to!
  • Flagged
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
Jeremy-UK 21st Jul 2010
@Orangy There are patches. But Apple don't have the same "drum beat" update procedure as Microsoft.

Microsoft release patches on the first Tuesday of each month. They do this so customers know it's happening, and can plan for this (so they can test patches with their production environment before rolling it out).

Apple don't do this. Apple release patches when they are ready.

Of course, you can't plan for that.

However, one of Microsoft's problems is "the bad guys" know about this schedule too, and they wait for the patches to reverse engineer exploits (if you can see what the patch does you can possibly discover what the problem is it is addressing). They then rush these out while the rest of the world is either: Testing the patches, or hasn't applied to patches yet.

Apple doesn't do this.

As you can see there are pros and cons to both approaches.

Sometimes (like this one) there is an exploit in the wild that means that Microsoft can't wait for normal patch time. Microsoft try to minimise these times as they are a huge pain for customers.

If you're running Mac OS X you should keep up with the patches.
0 Votes
+ -
No, they do not.
ye Updated - 22nd Jul 2010
@Jeremy-UK: Apple release patches when they are ready.

Security update 10.6.4 included over 20 security patches. Are you telling me Apple finished all 20+ security patches on the same day? Unlikely.

However, one of Microsoft's problems is "the bad guys" know about this schedule too, and they wait for the patches to reverse engineer exploits...

Please explain how releasing patches on a schedule makes it easier for the bad guys to reverse engineer a patch as compared to releasing a patch at some undetermined time. I don't see it being any less/hard.
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
Ceridan 23rd Jul 2010
@ Trolleur
Actually Apple does not release stop-gap mesures to try to send a temporary fix before a more permanent solution can be found because they are too busy saying that the issues are in the minds of their consumers...
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
macpipkin 21st Jul 2010
@Trolleur - I think you're wrong, but your name likely says all we need to know...

I love my Mac Pro and running Snow Leopard, but Windows uses more technology to guard against malicious code execution than is in Mac OS. It's just so many people hacking Windows means someone is going to get in...
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
Jeremy-UK 21st Jul 2010
@macpipkin While I don't agree with Trolleur, I don't agree with you either. Windows NEEDS more technology to guard against malware. This is because Windows puts a far greater emphasis on backward compatibility than Mac OS X does. Again their are pros and cons to both approaches.
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
red400r Updated - 21st Jul 2010
@Trolleur "Windows Insecure; Mac OS X = Secure"

Mac boys= Gullible
(Probably believes everything Jobs says, spoon fed little cattle aren't we)
0 Votes
+ -
And...
zkiwi 21st Jul 2010
You seem to forget that every version of Windows is "the most secure yet" and I'd take a guess that you believe that every time they say it, despite it being so vastly compromised both from 7 on down.
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
Jevans47 21st Jul 2010
@Trolleur Why do you read these MS-specific blogs? You appear to have nothing useful to say on the issue....
0 Votes
+ -
You DO realize why this is.. don't you?
Wolfie2K3 21st Jul 2010
@Trolleur
It's pretty much common knowlege that Apple tends to delete or otherwise remove posts made to it's support web site that show Apple wares in a bad light. Apple generally doesn't acknowlege there's a problem until they're ready to do so - i.e. when they drop a mega patch on end users.

Of course, this does NOT make the Apple experience more secure. It just makes it look like it is.

Charlie Miller, the guy who keeps Pwning Macs at the Pwn2Own contest every year (or so it seems) has, according to him, an arsenal of over 100 vulnerabilities in OSX that can be exploited. Good thing he wears a hat that's more white than black.

Should he turn to the dark side, the Mac community would be in for a rather ugly wakeup call.
0 Votes
+ -
Not according to security researchers.
Lester Young 21st Jul 2010
@Trolleur

More unpatched Intel-era vulnerabilities in OS X than Windows Vista according to Secunia. And check out what Dino DaiZovi (of pwn to own fame) has to say.

http://www.scribd.com/doc/13450744/Dino-Dai-Zovi-Mac-OS-Xploitation
0 Votes
+ -
You're so right!!
herry.k 22nd Jul 2010
@Trolleur
In fact it is so secure that it is the no. 1 spot in Secunia list.
http://arstechnica.com/security/news/2010/07/apple-the-new-world-leader-in-software-insecurity.ars
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
otaddy 22nd Jul 2010
@Trolleur

The reason your friends insist on using MS is that, they get a much better value on their hardware plus the widest range of software that can be used.

If they were affected by every vulnerability, they would have switched years ago. These vulnerabilities get a lot of press here but when you dig down, you find that usually, a very special set of circumstances has to apply. (See Ye's post above.)
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
justanotherpcguy 22nd Jul 2010
@Trolleur

I love you guys who have this false sense of security because you think you MAC is secure.... in actuallity Windows XP SP3 and Windows 7 are both significanly more secure than your beloved OS X. Maybe you should read this....

http://news.techworld.com/security/1798/mac-os-x-security-myth-exposed/

The more you look into this, the more you'll start to see that the only reason you don't hear as much about MAC Security problems is it's not newsworthy enough... who cares after all, the percentage of users of MACs vs PC is so small that it's not worth the airtime....
Think of it this way.... if anything, hearing about the Microsoft security holes should say one thing about Microsoft.... they find out about a problem...they fix it (or at least try to)... What's MAC doing to address YOUR security holes, other than keeping it quiet so you THINK you are secure??
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
Pete "athynz" Athens 22nd Jul 2010
@Trolleur You might want to rethink this... Mac OS does indeed have vulnerabilities - wasn't the Mac OS the first to get hacked in that competition a few months ago? Nor are there patches from Microsoft week after week...
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
bobjones2007 22nd Jul 2010
@Trolleur nice name for a clueless n00b
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
Disgruntled M$ User 22nd Jul 2010
@Trolleur maybe you should check out this link:
http://www.zdnet.com/blog/security/apple-safari-autofill-allows-data-theft/6928?tag=nl.e589
The writer, Mr Grossman states he reported the "flaw" twice to Apple BUT NEVER GOT A REPLY!!
Looks like there is a GAPING hole in the Apple armor. I'm rolling on the floor LOL about "Apple products are SOOOO secure................!" He's recommending that users turn off the auto fill feature IMMEDIATELY to block hackers from stealing sensitive information when using Safari.
Secure? Ha! Hey, by the way, I've got this bridge in Brooklyn .............
Oh, by the way, since it looks like Apple won't acknowledge him
he took it upon himself to issue a work around for them!!!!!!!
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
sirpaul1 22nd Jul 2010
@Trolleur

They don't! They just leave your computer at risk until the patch is done.

Here's your Apple security:

http://support.apple.com/kb/ht1222
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
jiagebusen 22nd Jul 2010
@Trolleur, you're sounding a lot like Jimmy Swaggert. Sheesh, I chose the PC 30 years ago simply because I wouldn't, and still won't, buy a product that locks me into a world view that I must slavishly follow--it's not Microsoft that's the issue, it's freedom. The PC is about as free as you can get in the computing world. "God, er, Apple products are so secure" that we'll all go to heaven if we believe. In the meantime, sell all you own, give your money to God/Apple, and the end of the world will come without any updates or insecurity. In that case, why do we have an OS X (10)?
0 Votes
+ -
Trolleur's widdle tool fools
ahh so 22nd Jul 2010
Boy, he got you all in a tizzy, now didn't he...

LOL...LOL... grin
0 Votes
+ -
So the 'fix' is just a removal of functionality, that's it?
OS Reload Updated - 21st Jul 2010
Sorry but in my book that does not qualify as a 'fix'.

Why don't they go all the way and remove ALL functionality? That would be the ultimate 'fix', more, that would be

? ? ? ? ? THE Fix

the fix to end them all or "the mother of all fixes"
0 Votes
+ -
Which is why the word "temporary" was used.
ye 21st Jul 2010
@OS Reload: nt
0 Votes
+ -
If it is not a fix don't call it a fix then
OS Reload 21st Jul 2010
@ye

Call it an emergency remedial measure and make it very clear that it's a desperate one.
0 Votes
+ -
Or call it temporary.
ye Updated - 21st Jul 2010
@OS Reload: Both work.
0 Votes
+ -
Well, it fixes nothing...
OS Reload 21st Jul 2010
@ye

You can call it whatever you want, be it a 'fix', a 'tricycle', a 'horse' or a 'condom.' It's neither of those so any will fit equally well.
0 Votes
+ -
Why would I want to call it something other than it is?
ye 21st Jul 2010
@OS Reload: Especially when we have a perfectly good description with temporary fix?
0 Votes
+ -
Then Apple's strategy should be followed and call it a 'bumper'
SonofaSailor 21st Jul 2010
@ye & Reload

because it is both temporary and doesn't fix the underlying problem. no?
0 Votes
+ -
It wasn't called "a fix" at all.
seanferd 21st Jul 2010
It was said that MS offered a "fix-it". Follow the links of you don't know what a Microsoft Fix it is.

No comment on MS code quality, the forthcoming patch, the Fix it workaround, or the MS Fix it gestalt is implied.
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
rickhal 21st Jul 2010
There have been exploits aimed at the various Apple O/S's over the years. However due to the ubiquitous nature of Windows O/S/s in both corporate environments and home desktops and laptops.....hackers are naturally going to go for the "low hanging fruit". Apple O/S's are not inherently better than Windows O/S's. People have their own reasons for preferring Apple over MS. And vica versa. I have used MS O/S/s since the early days of DOS and have very rarely had any problems related to hacking. Not even that many viruses considering I have used MS since the beginning. Is MS perfect? NO. Far from it. But given the fact that Apple's hardware is so much more expensive than PC systems and Windows is just as easy to master if not more so than Apple's offering, most people are going to choose the latter of the former. Also, Apple's recent problems with the new IPhone prove that Apple is not as perfect as many of it's sycophants like to believe.
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
shtromer 21st Jul 2010
@rickhal
Actually, that statement is not strictly true of Windows OS that precede W7 - (I don't have the knowledge on W7 - though I would expect legacy issues to give W7 a few severe headaches.) It's all much easier if you base your OS around a structured (and mature) system such as UNIX, and haven't tried to speed up the operation with kluges.
Not that I use Apple's OSs, as very little of what I really need runs on them.
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
windozefreak 21st Jul 2010
@shtromer You are mostly right! But, the Apple cores don.t have room to criticize. Windows can do what it was designed to do. Now, Apple, we all know releases phones that cannot make calls, their primary functions
  • Flagged
0 Votes
+ -
Who said making a phone call was the iPhones primary function?
ye Updated - 22nd Jul 2010
@windozefreak: Now, Apple, we all know releases phones that cannot make calls, their primary functions

Isn't it's primary function to make the owner look cool? That form over function? happy
0 Votes
+ -
RE: MS ships temporary 'fix-it' for Windows shortcut zero-day attacks
Loverock Davidson 21st Jul 2010
Well that didn't take long at all. Quick response from Microsoft is what I've come to expect. For those of you complaining, no this is not the solution but it works as a temporary fix until the solution is well tested. I knew this bug wouldn't get far.
0 Votes
+ -
You shouldn't be allowed to walk around without a helmet on
OS Reload Updated - 21st Jul 2010
Or use a potty without adult supervision.
0 Votes
+ -
Well ya never know...
ahh so 22nd Jul 2010
@OS Reload
He might use his helmet as a pot

lol... grin
0 Votes
+ -
Win2K slamfest
yet_another 3rd Aug 2010
This should bring out at least a casual "Oh Dear" from those still running Win2K (Pro & Svr).

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix