Tuesday, July 20, 2010

Serious Microsoft Windows LNK Vulnerability

This one looks very serious to me, and I expect Microsoft will be forced to release an "out-of-band" patch to correct this problem. Unfortunately both the workarounds proposed by Microsoft in its Security Advisory have significant effects on the usability of Windows PCs -- disabling the use of icons for shortcuts means all your desktop shortcuts and all your "Quick Start" icons will be identical generic shapes, and disabling WebDAV affects many web-enabled programs like JungleDisk backup.  SANS has raised the Infocon level to Yellow, something it hasn't done since 2009. 

Below are links and synopses of many articles. The "Mitigating Factors" section of Microsoft's Security Advisory notes that "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." Anyone running as a local administrator, however, is extremely vulnerable to this issue until it is patched.

US-CERT Current Activity: Microsoft Windows LNK Vulnerability
US-CERT is aware of a vulnerability affecting Microsoft Windows. This vulnerability is due to the failure of Microsoft Windows to properly obtain icons for LNK files. Microsoft uses LNK files, commonly referred to as "shortcuts," as references to files or applications.

By convincing a user to display a specially-crafted LNK file, an attacker may be able to execute arbitrary code that would give the attacker the privileges of the user. Viewing the location of an LNK file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive is connected, thus opening the location of the LNK and triggering the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well. Depending on the operating system and AutoRun/AutoPlay configuration, exploitation can occur without any interaction from the user.

Microsoft has released Microsoft Security Advisory 2286198 in response to this issue. Users are encouraged to review the advisory and consider implementing the workarounds listed to reduce the threat of known attack vectors. Please note that implementing these workarounds may affect functionality. The workarounds include
  • disabling the display of icons for shortcuts
  • disabling the WebClient service
In addition to implementing the workarounds listed in Microsoft Security Advisory 2286198, US-CERT encourages users and administrators to consider implementing the following best practice security measures to help further reduce the risks of this and other vulnerabilities:
  • Disable AutoRun as described in Microsoft Support article 967715.
  • Implement the principle of least privilege as defined in the Microsoft TechNet Library.
  • Maintain up-to-date antivirus software.
Additional information can be found in the US-CERT Vulnerability Note VU#940193.

US-CERT will provide additional information as it becomes available.
Preempting a Major Issue Due to the LNK Vulnerability - Raising Infocon to Yellow
... we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far.

Although the original attack used the LNK vulnerability to infect systems from a USB key, the exploit can also launch malicious programs over SMB file shares. In one scenario, attackers that have access to some systems in the enterprise can use the vulnerability to infect other internal systems.

We discussed the LNK vulnerability in a diary a few days ago. That note pointed to Microsoft's advisory that described the bug "Windows Shell Could Allow Remote Code Execution," which affects most versions of Windows operating systems. Microsoft's workarounds for the issue include:

  • Disable the displaying of icons for shortcuts. This involves deleting a value from the registry, and is not the easiest thing to do in some enterprise settings. Group Policy-friendly options include the use of  Registry Client-Side Extensions, the regini.exe utility and the creation of a custom .adm file: see Distributing Registry Changes for details.
  • Disable the WebClient service. This will break WebDAV and any services that depend on it.
... Additional recommendations ... have [probably been] done this already back when the Conficker worm began spreading. Another challenge is that Windows 2000 and Windows XP Service Pack 2 are vulnerable, yet Microsoft no longer provides security patches for these OS. As the result, we believe most environments will be exposed until Microsoft releases a patch. We're raising the Infocon level in the hope that increased vigilance will increase enterprises' ability to detect and respond the attacks that may use the LNK vulnerability.

Microsoft Security Advisory (2286198): Vulnerability in Windows Shell Could Allow Remote Code Execution
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of this issue. The following mitigating factors may be helpful in your situation:
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Other articles and discussions:
This is an article about a third-party fix for this discussed in one of the SANS pages:

No comments: