Date: 21 July 2010
References: ESB-2010.0670
Related Files:
ESB-2010.0628
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0628.2
Vulnerability in Windows Shell Could Allow Remote Code Execution
21 July 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Windows Shell
Publisher: Microsoft
Operating System: Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2010-2568
Original Bulletin:
http://www.microsoft.com/technet/security/advisory/2286198.mspx
Comment: A vulnerability in Windows link files has been exploited in some
targeted attacks with some analyses indicating that certain SCADA
systems are at risk of compromise.
Revision History: July 21 2010: Microsoft updated bulletin to include PIF
files and the displaying of icons workaround
July 19 2010: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
Published: July 16, 2010
Version: 1.0
General Information
Executive Summary
Microsoft is investigating reports of limited, targeted attacks
exploiting a vulnerability in Windows Shell, a component of Microsoft
Windows. This advisory contains information about which versions of
Windows are vulnerable as well as workarounds and mitigations for this
issue.
The vulnerability exists because Windows incorrectly parses shortcuts
in such a way that malicious code may be executed when the user clicks
the displayed icon of a specially crafted shortcut. This vulnerability
is most likely to be exploited through removable drives. For systems that
have AutoPlay disabled, customers would need to manually browse to the root
folder of the removable disk in order for the vulnerability to be exploited.
For Windows 7 systems, AutoPlay functionality for removable disks is
automatically disabled.
Affected Software
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64
Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for
32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008
for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server
2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Disable the displaying of icons for shortcuts
Note See Microsoft Knowledge Base Article 2286198 to use the automated
Microsoft Fix it solution to enable or disable this workaround. This Fix
it solution will require a restart upon completion in order to be
effective. This Fix it solution deploys the workaround, and thus has the
same user impact. We recommend that administrators review the KB article
closely prior to deploying this Fix it solution.
Note Using Registry Editor incorrectly can cause serious problems
that may require you to reinstall your operating system. Microsoft
cannot guarantee that problems resulting from the incorrect use of
Registry Editor can be solved. Use Registry Editor at your own risk.
1. Click Start, click Run, type Regedit in the Open box, and
then click OK
2. Locate and then click the following registry key:
HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
3. Click the File menu and select Export
4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg
and click Save
Note This will create a backup of this registry key in the
My Documents folder by default
5. Select the value (Default) on the right hand window in the
Registy Editor. Press Enter to edit the value of the key. Remove
the value, so that the value is blank, and press Enter.
6. Locate and then click the following registry key:
HKEY_CLASSES_ROOT\piffile\shellex\IconHandler
7. Click the File menu and select Export.
8. In the Export Registry File dialog box, enter PIF_Icon_Backup.reg and
click Save.
Note This will create a backup of this registry key in the My Documents
folder by default.
9. Select the value (Default) on the right hand window in the Registy
Editor. Press Enter to edit the value of the key. Remove the value, so
that the value is blank, and press Enter.
10. Log all users off and on again, or restart the computer.
Impact of workaround.
Disabling icons from being displayed for shortcuts prevents the issue
from being exploited on affected systems. When this workaround is
implemented, shortcut files and Internet Explorer shortcuts will no
longer have an icon displayed.
Disable the WebClient service
Disabling the WebClient service helps protect affected systems from
attempts to exploit this vulnerability by blocking the most likely
remote attack vector through the Web Distributed Authoring and Versioning
(WebDAV) client service. After applying this workaround, it will still be
possible for remote attackers who successfully exploited this vulnerability
to cause Microsoft Office Outlook to run programs located on the targeted
user's computer or the Local Area Network (LAN), but users will be prompted
for confirmation before opening arbitrary programs from the Internet.
To disable the WebClient Service, follow these steps:
1. Click Start, click Run, type Services.msc and then click OK.
2. Right-click WebClient service and select Properties.
3. Change the Startup type to Disabled. If the service is running,
click Stop.
4. Click OK and exit the management application.
Impact of workaround.
When the WebClient service is disabled, Web Distributed Authoring and
Versioning (WebDAV) requests are not transmitted. In addition, any
services that explicitly depend on the Web Client service will not
start, and an error message will be logged in the System log. For
example, WebDAV shares will be inaccessible from the client computer.
How to undo the workaround.
To re-enable the WebClient Service, follow these steps:
1. Click Start, click Run, type Services.msc and then click OK.
2. Right-click WebClient service and select Properties.
3. Change the Startup type to Automatic. If the service is not running,
click Start.
4. Click OK and exit the management application.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967
iD8DBQFMRkw4/iFOrG6YcBERAquKAKCBoj7kmnUPSqNOch5F4UVWWExkKQCgqsKw
rhjE6l1i+XQZ9JXwAirKtq0=
=0x0b
-----END PGP SIGNATURE-----
|