Gladiator Research and Security - » Critical Vulnerability in Microsoft Windows Shell

Links

Other Posts: Patch Released for Microsoft Windows Shell Vulnerability; July Microsoft Patch Tuesday

Critical Vulnerability in Microsoft Windows Shell

Posted on July 19th, 2010 by Ryan Spanier

GSA Reference Number: AD100719-01

Simply Put: Microsoft has released an advisory for a code execution vulnerability in Microsoft Windows Shell. This vulnerability affects Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. This vulnerability can be exploited if a user opens a USB device or network share with a malicious-crafted shortcut file (.lnk). Microsoft has also been alerted to attacks using this exploit code. Gladiator recommends that users apply workarounds recommended by Microsoft as soon as possible. No patch has been released as of yet.

Attack Details: There is a vulnerability in the Windows Shell (i.e. Windows Explorer) that allows code execution when browsing folders containing maliciously-crafted .lnk files. Autorun or AutoPlay do not have to be enabled to be vulnerable to this issue. This vulnerability will most likely be exploited through USB drives or network shares. This vulnerability affects versions of Windows which are no longer supported by Microsoft, including Windows 2000 and Windows XP Service Pack 2. Patches will not be issued for unsupported operating systems. Note: Windows XP Service Pack 3 is supported.

Countermeasures: Microsoft has a workaround for this issue; however, there is no patch at this time. Microsoft recommends that users disable the displaying of icons for shortcuts. Also, Microsoft recommends users disable the WebClient service, which will prevent the browsing of Web shares. Instructions are available in the Microsoft Advisory under the Workarounds section. Gladiator recommends that users consider applying the workarounds provided by Microsoft. Test the workarounds first to ensure that there are no compatibility or usability issues.

Update [7/22/2010]: Microsoft has released a Fix It link. This link will apply the recommended workaround to a machine automatically. The Fix It link can be found here.

Reference Links:

Microsoft Advisory (http://www.microsoft.com/technet/security/advisory/2286198.mspx)
SANS ISC Diary Entry (http://isc.sans.edu/diary.html?storyid=9181)
Network World Article (http://www.networkworld.com/news/2010/071710-microsoft-confirms-nasty-windows-zero-day.html)
Microsoft Security Advisory with Fix-It link (http://support.microsoft.com/kb/2286198)
Additional Information – SANS ISC Diary (http://isc.sans.edu/diary.html?storyid=9217)

Tags: Code Execution, Microsoft, Shortcut Files, Windows Shell

Reader Comments

Sorry, comments are closed.