Current Activity - Microsoft Windows .LNK Vulnerability

[Current Activity <us-cert () us-cert gov>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

US-CERT Current Activity

Microsoft Windows .LNK Vulnerability

Original release date: July 16, 2010 at 10:08 am
Last revised: July 30, 2010 at 2:03 pm


US-CERT is aware of a vulnerability affecting Microsoft Windows. This
vulnerability is due to the failure of Microsoft Windows to properly
obtain icons for .LNK files. Microsoft uses .LNK files, commonly
referred to as "shortcuts," as references to files or applications.

By convincing a user to display a specially crafted .LNK file, an
attacker may be able to execute arbitrary code that would give the
attacker the privileges of the user. Viewing the location of an .LNK
file with Windows Explorer is sufficient to trigger the vulnerability.
By default, Microsoft Windows has AutoRun/AutoPlay features enabled.
These features can cause Windows to automatically open Windows
Explorer when a removable drive is connected, thus opening the
location of the .LNK and triggering the vulnerability. Other
applications that display file icons can be used as an attack vector
for this vulnerability as well. Depending on the operating system and
AutoRun/AutoPlay configuration, exploitation can occur without any
interaction from the user. This vulnerability can also be exploited
remotely through a malicious website, or through a malicious file or
WebDAV share.

Microsoft has released Microsoft Security Advisory 2286198 in response
to this issue. Users are encouraged to review the advisory and
consider implementing the workarounds listed to reduce the threat of
known attack vectors. Please note that implementing these workarounds
may affect functionality. The workarounds include
  * disabling the display of icons for shortcuts
  * disabling the WebClient service
  * blocking the download of .LNK and .PIF files from the internet

Microsoft has released a tool, Microsoft Fix it 50486, to assist users
in disabling .LNK and .PIF file functionality. Users and
administrators are encouraged to review Microsoft Knowledgebase
article 2286198 and use the tool or the interactive method provided in
the article to disable .LNK and .PIF functionality until a security
update is provided by the vendor.

Update: Microsoft has issued a Security Bulletin Advance Notification
indicating that it will be releasing an out-of-band security bulletin
to address this vulnerability. Release of the security bulletin is
scheduled for August 2, 2010.

In addition to implementing the workarounds listed in Microsoft
Security Advisory 2286198, US-CERT encourages users and administrators
to consider implementing the following best practice security measures
to help further reduce the risks of this and other vulnerabilities:
  * Disable AutoRun as described in Microsoft Support article 967715.
  * Implement the principle of least privilege as defined in the
    Microsoft TechNet Library.
  * Maintain up-to-date antivirus software.

Additional information can be found in the US-CERT Vulnerability Note
VU#940193.

US-CERT will provide additional information as it becomes available.

Relevant Url(s):
<http://support.microsoft.com/kb/967715>

<http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx>

<http://support.microsoft.com/kb/2286198>

<http://technet.microsoft.com/en-us/library/bb456992.aspx>

<http://www.microsoft.com/technet/security/advisory/2286198.mspx>

<http://www.kb.cert.org/vuls/id/940193>

====
This entry is available at
http://www.us-cert.gov/current/index.html#microsoft_windows_lnk_vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTFMYaj6pPKYJORa3AQLyUAgAss/1ZQiYWb4KOE76R6W4y9WWrjEqi1Ra
55ug1FxOND2EpqwhLxB6KSVn9vgOPA82vj6CghgX7SI3K40qXxJpMZSJ3/hPL1hu
dovAZhThkUOUD8sgG28am4aJiuNQZNMj3nOg305sxxmIarxEdWpNRAlxAkEt+HW6
Q9PhfEO66wNW3S27y6HNHxymTR+YPOihJuOfCLsBITd561/uHJq3HzG6Ey0v3KWM
fRGl52VA0P0OJcMhQiceKILSzMAZcXb72QScRZAI7JZCz6eEtPBF8lCxDjTqx3sC
8pccbeaCrdp6BNzlfonmi8s4bGyapiq9G0UfM1MSWmUAyx5j4w/rrg==
=8FFs
-----END PGP SIGNATURE-----