Slashdot Mirror
Microsoft To Issue Emergency Fix For Windows .LNK Flaw
Trailrunner7 writes "Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet malware. The advance notification from Microsoft on Friday said that the company is patching a critical vulnerability that is being actively exploited in the wild and affects all supported Windows platforms. The LNK flaw in the Windows shell was first identified earlier this month when researchers discovered the Stuxnet worm spreading from infected USB drives to PCs. Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer."
followed by Monday-Out-Of-Band-Patch-Day.
http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx
My GF uses ubuntu now and she's never touched linux before about a month ago. The only thing to "learn" is to lose the bad habits you pick up from a lifetime of windows use. Just back up your music, movies and emails and reload with ubuntu. Dual booting is poison because you will inevitably boot into windows more and more often because it is familiar and "easy." Just wipe out windows, reload the machine from the ground up with linux, use it for a month and you'll never go back. If you want to play games, buy a 360...
Microsoft malware researchers said on Friday that they had been working with VeriSign to revoke the Realtek certificate, a process that Realtek officials signed off on. The certificate in question actually expired in June. Microsoft oficials also said that they expect other attackers to begin using the techniques utilized by Stuxnet.
In hindsight the vendor certificate is a weakness in the entire process simply because access to the signing key bypasses the controls in place. Hardware vendors aren't likely to be as concious, at least until this incident, of the need to maintain proper security around their singing keys, nor are there requirements enforcing such security. In comparison keys used for financial transactions are generally held in HSMs with strong access controls around them to prevent the revealing of the private key. This particular rootkit was specifically confined to SCADA so the impact was always going to be small, but the malware could've easily been targetted to attack general windows installs .. who knows how much damage it could've caused then?
Luckily this specific certificate was going to expire soon so there was probably less resistance from the vendor in revoking it than there might've been, but if such revokation was going to invalidate significant numbers of drivers then that would've posed the problem of either leaving the certificate valid to be used for other types of malware or revoking it and invalidating however many drivers had already been signed by that key. Unfortunately it's not very likely that hardware manufacturers will ever submit to using HSM-type devices or the processes necessary to ensure key secrecy, so it looks like this will just have to be yet another potential attack vector that's caused by vendor negligence.
This is just a copy (minus links) of the article at Threatpost. How about at least crediting the source?
I still haven't understood what this .lnk flaw actually is, or what fun things it might be used for (and how).
The previous discussion about this talked about SCADA systems, so I read the wikipedia article about SCADA but still don't quite get what it really is. And the vulnerability seemed to only be exploited on one particularly stupid system which used a hard-coded password.
And it seemed to also require the use of Autorun/Autoplay which should obviously be disabled anyway. I have 2 files to take care of that on all my USB drives:
Autorun.inf:
[AutoRun]
open=autorun.cmd
shell\open\Command=autorun.cmd
shell\explore\Command=autorun.cmd
And autorun.cmd:
@ECHO OFF
ECHO ALERT: You have autorun enabled on this drive (%~d0)!
ECHO.
ECHO Trying to disable it:
@ECHO ON
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun" /ve /t REG_DWORD /d 255 /f /ve /d "@SYS:Autorun-Disabled" /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
@ECHO OFF
ECHO.
ECHO You may need to reboot.
ECHO.
@pause
Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer.
How do you suppose the crackers got a hold of Realtek's digital certificate? Seems to imply a level of sophistication that goes beyond most virus writers, many of whom are industry professionals these days. A government-backed organization maybe or well-funded industrial espionage.
Behold the true face of cyberwar!
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
A friendly warning to all Windows 2000 users out there, your OSs will remain vulnerable (unless you have a private agreement with MS).
Support for you ended two weeks ago.
http://support.microsoft.com/lifecycle/?LN=en-us&x=17&y=3&p1=3071
VirtualBox is great. I agree that dual boot is a pain, but no access to Windows at all is a pain too. I have an XP VM in VirtualBox (in Ubuntu), so I can use the few Windows-only programs I occasionally need without any trouble.
I hear you. Those damn Linux boot loaders can be hard to get rid of.
Indeed. I've been using SYSLINUX and COM32 for some time now and I love them to pieces. They make NTLDR, and, to a lesser extent, the Windows Boot Manager, look like kids' toys.
Boot Windows, Linux, and ESX over the network for free.
For some reason, MS will shy away from mandadory CRL/OCSP checks. Bandwidth issues for 1 kb traffic?
Realtek drivers, as they are software/hardware hybrid (more like softmodem) with unneccesarry junk like an extra control panel weights around 40 MB. Everyone knows it since we have to deal with their aspx powered weirdo site when vendors, including Apple Inc. installs old version of drivers. What kind of harm would Windows do asking certificate vendor (Verisign in this case) if the certificate is real?
This is also a mistake by Apple too, they don't enable ocsp, at least to "best attempt" in fresh OS X install. You gotta do it in keychain utility preferences. Sad that, on OS X way of doing things, that would mean an instant security boost since native OS X apps uses the same framework for SSL comms.
Funny is, this is also a problem on Symbian which doesn't rely on "app store". For example, on Nokia E71, one must live a complete usability hell if he/she enables "online certificate revocation check". They just couldn't fix the freaking UI and disabled online certificate check for signed symbian apps. So what happens if some dumb shareware vendor loses their certificate or they actually freely sign malware? You install AV. All this for saving (!) 1 KB of traffic.
So, even if Verisign revokes it (or hurries, whatever), it won't have any effect until MS/Apple/Symbian (don't know others) wake up and enable certificate revocation checks by default in these days even your heater is connected to the internet.
If you want to play games, buy a 360...
i want to play starcraft 2 you insensitive clod..
If you want to play games, buy a 360...
How do you install System Shock 2 on an X-Box 360? There are games that aren't supported by $CONSOLE but that people still want to play.
If you want to do dualbooting right, just move all of your data to one of the Linux partitions and erase them from the Windows partition. Then uninstall the corresponding programs. Once you're unable to check your mail/chat/etc. in Windows you'll have a much smaller incentive to stay ther for longer than neccessary.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
...SYSLINUX....COM32...NTLDR... Windows Boot Manager...
The what now? ...the age of the 1-click iPad has begun. There is a reason for its success...
My Lawn! You BASTARD!
Boot Windows, Linux, and ESX over the network for free.
An ipad? ROTFL. Let's see you develop SOFTWARE for that ipad... on your ipad.
Apple users need to learn to speak without steve's hand up their anus...
Except for the fact that I've never had a Windows box that got compromised or infected with any kind of virus, trojan or malware. Most "vulnerabilities" in Windows are user initiated. Practice a little common sense (ie. don't run things that come from questionable or unknown sources) and you are unlikely to ever see a problem.
Baloney. Let me guess, you don't have any antivirus installed either, because you don't need it? Either you haven't been using Windows for very long or your only Windows box is turned off in the corner. Back in the 90s I got a disk from my school that was infected with Stoned, and a few years later bought a CD-ROM game that came with Michelangelo on the disc itself. Even more recently, hardware from (more or less) reputable sources come preloaded with malware. Heck, part of my job is removing malware from PCs on a near-daily basis, and even though I know better, my USB key got hit by the Autorun worm last Summer. So yeah, common sense and safe browsing habits are wonderful things, but they're not a panacea. There are so many attacks coming from so many vectors, that if you use a Windows box you will get some kind of infection eventually.
http://crummysocks.com
The .LNK Binary File Format is an Open Specification provided by Microsoft via the following document:
http://msdn.microsoft.com/en-us/library/dd871305(PROT.13).aspx
~ king
because for various reasons (some that are even good), Microsoft only normally release patches once a month. When they can't wait, they call it an emergency fix. Simple enough?