funsec mailing list archives
Microsoft LNK exploit
From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade () shaw ca>
Date: Tue, 20 Jul 2010 15:21:11 -0800
The recently discovered LNK exploit; using the way Microsoft parses link or shortcut icons for display in order to get something else executed; may be a tempest in a teapot. It is technically sophisticated, but so far we don't appear to have seen it used widely. Probably a good thing. This exploit could be used in a wide variety of ways. You can use it in removeable media, so that any time you shove a CD in a drive, or connect a USB stick/thumb drive (or any other USB device, for that matter) to a computer, it results in an infection or some malicious payload. And remember that OLE stands for object *LINKING* and embedding. Since it is trivially easy to embed a virus in any Windows OLE format data file, it should be just as easy to create malicious links in any such files. Microsoft's own information on the issue ( http://www.microsoft.com/technet/security/advisory/2286198.mspx ) seems to indicate that there is a related, but separate, issue with Microsoft Office components, related to Web based activities. (By the way, when accessing that site, the information about how to protect against the exploit is hidden under the "Workarounds" link, rather than being explicit on the page.) Some of the potential effects are discussed by Randy Abrams at http://blog.eset.com/2010/07/19/it-wasn%E2%80%99t-an-army ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org He who praises everybody, praises nobody. - Samuel Johnson victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://www.infosecbc.org/links http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Microsoft LNK exploit Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jul 20)