CERT mailing list archives
Current Activity - Microsoft Windows .LNK Vulnerability
From: Current Activity <us-cert () us-cert gov>
Date: Wed, 21 Jul 2010 09:20:28 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 US-CERT Current Activity Microsoft Windows .LNK Vulnerability Original release date: July 16, 2010 at 10:08 am Last revised: July 21, 2010 at 8:49 am US-CERT is aware of a vulnerability affecting Microsoft Windows. This vulnerability is due to the failure of Microsoft Windows to properly obtain icons for .LNK files. Microsoft uses .LNK files, commonly referred to as "shortcuts," as references to files or applications. By convincing a user to display a specially crafted .LNK file, an attacker may be able to execute arbitrary code that would give the attacker the privileges of the user. Viewing the location of an .LNK file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive is connected, thus opening the location of the .LNK and triggering the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well. Depending on the operating system and AutoRun/AutoPlay configuration, exploitation can occur without any interaction from the user. This vulnerability can also be exploited remotely through a malicious website, or through a malicious file or WebDAV share. Microsoft has released Microsoft Security Advisory 2286198 in response to this issue. Users are encouraged to review the advisory and consider implementing the workarounds listed to reduce the threat of known attack vectors. Please note that implementing these workarounds may affect functionality. The workarounds include * disabling the display of icons for shortcuts * disabling the WebClient service * blocking the download of .LNK and .PIF files from the internet Update: Microsoft has released a tool, Microsoft Fix it 50486, to assist users in disabling .LNK and .PIF file functionality. Users and administrators are encouraged to review Microsoft Knowledgebase article 2286198 and use the tool or the interactive method provided in the article to disable .LNK and .PIF functionality until a security update is provided by the vendor. In addition to implementing the workarounds listed in Microsoft Security Advisory 2286198, US-CERT encourages users and administrators to consider implementing the following best practice security measures to help further reduce the risks of this and other vulnerabilities: * Disable AutoRun as described in Microsoft Support article 967715. * Implement the principle of least privilege as defined in the Microsoft TechNet Library. * Maintain up-to-date antivirus software. Additional information can be found in the US-CERT Vulnerability Note VU#940193. US-CERT will provide additional information as it becomes available. Relevant Url(s): <http://support.microsoft.com/kb/967715> <http://support.microsoft.com/kb/2286198> <http://technet.microsoft.com/en-us/library/bb456992.aspx> <http://www.microsoft.com/technet/security/advisory/2286198.mspx> <http://www.kb.cert.org/vuls/id/940193> ==== This entry is available at http://www.us-cert.gov/current/index.html#microsoft_windows_lnk_vulnerability -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTEb0ED6pPKYJORa3AQJaNQf9Ev4rBEwtZpRgwnIcr/S1QeJAe9N5piI6 qke652WEXJKiFDI7IR173lpkLS6UdYaSMdglar6wZLsPJ5GnYjFXA0o8xq799niG yJMqfibKpUnXkR9OLRs5Rtr0EwjnBdzIJquY6vMYHnFvWHnPJmlGKjH9yrR8c00x M2fegEucy7eQvf8lyzbY1My0LQ7zn4GNEob7G1C/s390r8z2p00AR/hZkaYMGxDJ SGWC+1sFEztHN5iC5XIoQzElcfQ76Zui3Ntr46ABNCLxOrWnFyI1w121B03FBty8 lJSgJ+OYquM5uWXw8m7OtZMxaj4ikeS7Yw7dRFlmq8iI/tU/uzYuHA== =PY3M -----END PGP SIGNATURE-----
Current thread:
- Current Activity - Microsoft Windows .LNK Vulnerability Current Activity (Jul 21)
- <Possible follow-ups>
- Current Activity - Microsoft Windows .LNK Vulnerability Current Activity (Jul 30)