Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Issue Emergency Fix For Windows .LNK Flaw

Posted by Soulskill on from the tee-plus-two-weeks dept.

Trailrunner7 writes "Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet malware. The advance notification from Microsoft on Friday said that the company is patching a critical vulnerability that is being actively exploited in the wild and affects all supported Windows platforms. The LNK flaw in the Windows shell was first identified earlier this month when researchers discovered the Stuxnet worm spreading from infected USB drives to PCs. Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer."

9 of 112 comments (clear)

  1. Friday sysadmin appreciation day, by Major+Downtime · · Score: 5, Funny

    followed by Monday-Out-Of-Band-Patch-Day.
    http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx

  2. Realtek certificate by John+Saffran · · Score: 4, Interesting
    The most interesting aspect of this rootkit was the use of the Realtek private key to sign the drivers. According to Kapersky:

    Microsoft malware researchers said on Friday that they had been working with VeriSign to revoke the Realtek certificate, a process that Realtek officials signed off on. The certificate in question actually expired in June. Microsoft oficials also said that they expect other attackers to begin using the techniques utilized by Stuxnet.

    In hindsight the vendor certificate is a weakness in the entire process simply because access to the signing key bypasses the controls in place. Hardware vendors aren't likely to be as concious, at least until this incident, of the need to maintain proper security around their singing keys, nor are there requirements enforcing such security. In comparison keys used for financial transactions are generally held in HSMs with strong access controls around them to prevent the revealing of the private key. This particular rootkit was specifically confined to SCADA so the impact was always going to be small, but the malware could've easily been targetted to attack general windows installs .. who knows how much damage it could've caused then?

    Luckily this specific certificate was going to expire soon so there was probably less resistance from the vendor in revoking it than there might've been, but if such revokation was going to invalidate significant numbers of drivers then that would've posed the problem of either leaving the certificate valid to be used for other types of malware or revoking it and invalidating however many drivers had already been signed by that key. Unfortunately it's not very likely that hardware manufacturers will ever submit to using HSM-type devices or the processes necessary to ensure key secrecy, so it looks like this will just have to be yet another potential attack vector that's caused by vendor negligence.

  3. Is copy-and-pasting"writing"? by Two99Point80 · · Score: 4, Insightful

    This is just a copy (minus links) of the article at Threatpost. How about at least crediting the source?

  4. what is this .lnk flaw anyway? by rduke15 · · Score: 4, Funny

    I still haven't understood what this .lnk flaw actually is, or what fun things it might be used for (and how).

    The previous discussion about this talked about SCADA systems, so I read the wikipedia article about SCADA but still don't quite get what it really is. And the vulnerability seemed to only be exploited on one particularly stupid system which used a hard-coded password.

    And it seemed to also require the use of Autorun/Autoplay which should obviously be disabled anyway. I have 2 files to take care of that on all my USB drives:

    Autorun.inf:

    [AutoRun]
    open=autorun.cmd
    shell\open\Command=autorun.cmd
    shell\explore\Command=autorun.cmd

    And autorun.cmd:

    @ECHO OFF
    ECHO ALERT: You have autorun enabled on this drive (%~d0)!
    ECHO.
    ECHO Trying to disable it:
    @ECHO ON

    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun" /ve /t REG_DWORD /d 255 /f
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /d "@SYS:Autorun-Disabled" /f

    @ECHO OFF
    ECHO.
    ECHO You may need to reboot.
    ECHO.
    @pause

    1. Re:what is this .lnk flaw anyway? by noesckey · · Score: 5, Informative

      Stuxnet functions even if autorun is disabled: http://www.sophos.com/pressoffice/news/articles/2010/07/stuxnet.html

  5. The really interesting bit by HangingChad · · Score: 4, Insightful

    Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer.

    How do you suppose the crackers got a hold of Realtek's digital certificate? Seems to imply a level of sophistication that goes beyond most virus writers, many of whom are industry professionals these days. A government-backed organization maybe or well-funded industrial espionage.

    Behold the true face of cyberwar!

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    1. Re:The really interesting bit by alphatel · · Score: 4, Insightful

      Agreed, who cares what the vulnerability is - exploits are never-ending. The digitally signed certificate is a sure-fire method of defeating a number of defense mechanisms and penetrate the MS core even further. As always, the benefit to the code writer is that any MS OS can be fooled, including server systems.

      --
      When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
  6. Windows 2000 users by trifish · · Score: 5, Informative

    A friendly warning to all Windows 2000 users out there, your OSs will remain vulnerable (unless you have a private agreement with MS).

    Support for you ended two weeks ago.
    http://support.microsoft.com/lifecycle/?LN=en-us&x=17&y=3&p1=3071

  7. LNK is an Open Specification by kingdominic · · Score: 4, Interesting

    The .LNK Binary File Format is an Open Specification provided by Microsoft via the following document:
    http://msdn.microsoft.com/en-us/library/dd871305(PROT.13).aspx
    ~ king