|
We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerability and to help preempt a major issue resulting from its exploitation. Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far. Although the original attack used the LNK vulnerability to infect systems from a USB key, the exploit can also launch malicious programs over SMB file shares. In one scenario, attackers that have access to some systems in the enterprise can use the vulnerability to infect other internal systems. We discussed the LNK vulnerability in a diary a few days ago. That note pointed to Microsoft's advisory that described the bug "Windows Shell Could Allow Remote Code Execution," which affects most versions of Windows operating systems. Microsoft's workarounds for the issue include:
Another approach to mitigate the possible LNK attack involves the use of Didier Stevens' tool Ariad. Note that the tool is beta-software operating in the OS kernel, so it's probably not a good match for enterprise-wide roll-out. Additional recommendations for making the environment resilient to an attack that exploits the LNK vulnerability include:
Sadly, enterprises that are likely to ever disable auto-run and lock down SMB file shares, probably have done this already back when the Conficker worm began spreading. Another challenge is that Windows 2000 and Windows XP Service Pack 2 are vulnerable, yet Microsoft no longer provides security patches for these OS. As the result, we believe most environments will be exposed until Microsoft releases a patch. We're raising the Infocon level in the hope that increased vigilance will increase enterprises' ability to detect and respond the attacks that may use the LNK vulnerability. Do you have recommendations for addressing the LNK issue? Let us know. -- Lenny Lenny Zeltser - Security Consulting
|
Lenny 216 Posts Jul 19th 2010 |
| Thread locked Subscribe |
Jul 19th 2010 1 decade ago |
|
threatcon status change is not updating on my site's html link, it remains green?
|
Anonymous |
| Quote |
Jul 19th 2010 1 decade ago |
|
If you have a 2008 Domain, you can use Group Policy Registry Client-Side Extensions to easily push out this registry mod.
http://technet.microsoft.com/en-us/library/dd392560%28WS.10%29.aspx Otherwise, this registry mod can be deployed as a logon script or even pushed out using something like SMS or SCCM2K7. |
Anonymous |
| Quote |
Jul 19th 2010 1 decade ago |
|
Hit ctrl-F5 to refresh ur browser.
Yellow is a bit premature. Especially when this is not a remote exploit. |
Anonymous |
| Quote |
Jul 19th 2010 1 decade ago |
|
Whether or not it's premature I don't know but this vulnerability concerns me more than many others I've seen recently. This could quickly turn into a worm on corporate networks if the exploit is crafted to copy itself to mapped drives. The user might not even need to be convinced to explore to that directory if the mapped drive is created at start up as the files are enumerated automatically.
All it would take is one bad USB drive and a mapped drive with a lot of users and the whole company is owned... |
jtwaldo 17 Posts |
| Quote |
Jul 19th 2010 1 decade ago |
|
The problem can be much worse then the desktops of end users.
Consider a system admin using domain admin rights while logged into a file server to fix an issue with a users network share (e.g. permissions on a file, quotas ....). If that share now has the shortcut exploit and malware, the sys admin has just infected the server they are are on. This is a realistic scenario based on daily support operation tasks for an IT Shop, let alone worrying about the more automated ways for the shortcut to be enumerated while logging into a server. Desktops are easy enough to re-image even if you really dont want to have to do it. Servers are a much bigger problem to deal with. |
jtwaldo 1 Posts |
| Quote |
Jul 19th 2010 1 decade ago |
|
For those not reading the previous post on this topic, this could get handy:
I've created a little shell extension fixing this issue. It inserts itself in front of the shell link icon handler, and calls the original one only when it's safe. Should work on XP+, downloadable x86 and AMD64 builds. Get binaries (and source) on http://code.google.com/p/linkiconshim/ |
jtwaldo 2 Posts |
| Quote |
Jul 19th 2010 1 decade ago |
|
I don't think going to yellow over this is pre-mature at all. This is a huge deal, especially for average users.
Very easy to distribute via torrents and zipped files on the various download sites. |
jtwaldo 22 Posts |
| Quote |
Jul 20th 2010 1 decade ago |
|
@fifth.sentinel I agree, thats the one that really worries me. We're leaving our clients alone for the time being (hopefully ForeFront handles it), but every server is losing icons on LNK files for the time being.
My real fear is that some solid code comes out using the LNK vectors that also exploits a previous unknown privilege escalation vulnerability. Combined with some well crafted code, it would get real bad really quickly. |
Anonymous |
| Quote |
Jul 20th 2010 1 decade ago |
|
Oops look, no outbreak, no mayhem.
|
Anonymous |
| Quote |
Jul 22nd 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
