Re: .LNK vulnerbility

[John Koelndorfer <jkoelndorfer () gmail com>]

Microsoft did not mention SP2 because it is EOL. You should probably upgrade.

On Fri, Jul 23, 2010 at 11:58 AM, Eggleston, Mark
<meggleston () healthpart com> wrote:
> Also MS states XP SP3 impacted (but does NOT mention SP2?) However,
> bugtraq mentions SP2... Can anyone confirm if XP SP2 is impacted?
>
> Regards,
>
> Mark
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Todd Haverkos
> Sent: Friday, July 23, 2010 12:29 PM
> To: Daniel Hood
> Cc: security-basics () securityfocus com
> Subject: Re: .LNK vulnerbility
>
>
> Daniel Hood <dsmhood () gmail com> writes:
> > List,
> >
> > Can someone please share how this vulnerability actually works.
> >
> > I'm wondering whether its a "You visit a .php page thats infected and
> > your exploited" or whether its a "You click a link on a .php page and
> > it links to a .lnk file and you download it and run it and your
> > exploited."?
> >
> > Can someone please shed some light on this?
> >
> > Daniel
>
> Hi Daniel,
>
> The most recent thing I've learned is that .PIF files are also an attack
> vector in addition to .LNK.
>
> The best I was able to make of the ISC writeups and the Microsoft
> advisory (2286198) it was that you get a .LNK file onto the system in
> some fashion (usb drive inserted, it showing up on a network share that
> a user views in explorer, or saved via web page somehow to a local file
> system), and then, when the directory containing the LNK file gets
> viewed in Windows Explorer in the icon view, that's when the Bad Things
> happen.  It struck me as a lot of things having to line up in any case
> other than the "insert infected USB drive" attack vector.
>
> Having autorun disabled does raise the bar a little for the usb or cd
> insertion scenarios, but doesn't eliminate the vulnerability if someone
> manually browses the directory in explorer, as I understand it.
>
> If I'm right about that understanding, didn't strike me as anything
> nearly as effective or threatening as a drive-by download exploit for
> java/flash/reader would be.  I'm not really sure why that was enough for
> the SANS ISC to raise infocon to yellow when there have been drive-by
> exploitable plugin issues for browsers that posed a much bigger threat
> where they didn't go yellow.
>
> I'd also be curious to know if there's more to the LNK issue than I'm
> understanding it to be.
>
> It would be a good time, though to remind users that popping a usb drive
> they found in the bathroom, parking lot or lobby into their Windows
> computer to have a look at what's on it is _not_ safe to do...then
> again, that's been true with the existence of things like U3 autorun
> ability, USB hacksaw and USB switchblade for quite some time.
> This just represents another USB borne attack vector that isn't
> necessarily dependent on autorun settings.
>
> Best Regards,
> --
> Todd Haverkos, LPT MsCompE
> http://haverkos.com/
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate In this guide
> we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company and
> how your customers can tell if a site is secure. You will find out how
> to test, purchase, install and use a thawte Digital Certificate on your
> Apache web server. Throughout, best practices for set-up are highlighted
> to help you ensure efficient ongoing management of your encryption keys
> and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
> f727d1
> ------------------------------------------------------------------------
>
> This message, together with any attachments, is intended only for
> the use of the individual or entity to which it is addressed. It
> may contain information that is confidential and prohibited from
> disclosure. If you are not the intended recipient, you are hereby
> notified that any dissemination or copying of this message or any
> attachment is strictly prohibited. If you have received this
> message in error, please notify the original sender immediately by
> telephone or by return e-mail and delete this message along with
> any attachments, from your computer.
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------