July 21, 2010

Microsoft has released a stopgap fix to help Windows users protect themselves against threats that may try to target a newly discovered, critical security hole that is present in every supported version of Windows.

Last week, KrebsOnSecurity.com reported that security researchers in Belarus had found a sophisticated strain of malware that was exploiting a previously unknown flaw in the way Windows handles shortcut files. Experts determined that the malware exploiting the vulnerability was being used to attack computers that interact with networks responsible for controlling the operations of large, distributed and very sensitive systems, such as manufacturing and power plants.

When Microsoft initially released an advisory acknowledging the security hole last week, it said customers could disable the vulnerable component by editing the Windows registry. Trouble is, editing the registry can be a dicey affair for those less experienced working under the hood in Windows because one errant change can cause system-wide problems.

But in an updated advisory posted Tuesday evening, Microsoft added instructions for using a much simpler, point-and-click “FixIt” tool to disable the flawed Windows features. That tool, available from this link, allows Windows users to nix the vulnerable component by clicking the “FixIt” icon, following the prompts, and then rebooting the system.

Be advised, however, that making this change could make it significantly more difficult for regular users to navigate their computer and desktop, as it removes the graphical representation of icons on the Task bar and Start menu bar and replaces them with plain, white icons.

For instance, most Windows users are familiar with these icons:

According to Microsoft, after applying this fix, those icons will be replaced with nondescript (and frankly ugly) placeholders that look like this:

There are currently no signs that this vulnerability is being used in anything but targeted attacks against some very important targets. That said, the situation could change rapidly soon. For one thing, a proof-of-concept exploit is now publicly available and embedded into open-source attack tools. And while initial reports suggested the primary means of exploiting this flaw required someone to introduce a strange USB device into their system, experts have since shown that the exploit can also be used to spread and launch malicious programs over network shares.

The SANS Internet Storm Center on Monday made the relatively rare decision to change its threat warning level to yellow over this vulnerability, warning that “wide-scale exploitation is only a matter of time.”

“The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch,” SANS incident handler Lenny Zeltser wrote. “Furthermore, anti-virus tools’ ability to detect generic versions of the exploit have not been very effective so far.”

Both of these potential exploit paths probably make this vulnerability far more dangerous for corporate and business users than for home users. That said, having ugly Start Menu and Taskbar icons for a few weeks until Microsoft issues a real fix for this flaw may be a small price to pay for peace of mind. Also, the FixIt changes can be undone simply by visiting this link and clicking the FixIt icon under the “Disable This Workaround” heading.

Further reading:

Siemens: German Customer Hit by Industrial Worm

Mitigating Link Exploitation with Ariad

ICS-CERT: USB Malware Targeting Siemens Control Software (PDF)


32 thoughts on “Tool Blunts Threat from Windows Shortcut Flaw

  1. Nogero

    I have figured out that your website works strange on Google Chrome browser version 5.0.375.99 (latest Ubuntu). The “subscribe to feed” buttons at top right do not function at all.

    I am subscribed to RSS using Google Reader. In both Firefox and Chrome your site claims I am a “Welcome Googler! If you find this page useful, you might want to subscribe to the RSS feed for updates on this topic or subscribe by email in the sidebar” and sidebar don’t work. This message is large at top of article and covers the post date.

    1. JBV

      @Nogero, there are a lot of web pages where embedded RSS links don’t work in Chrome.

      If you don’t already have it, get the plugin extension for Chrome: RSS Subscription Extension (by Google) – Version: 2.1.1, by going to Chrome’s little wrench icon and clicking on Extensions.

      That will put the RSS icon in the Chrome search bar when an address has a feed available.

      When you click on it here, for example, it will offer a menu choice of pages (the current page and Krebs on Security home page in RSS or RSS atom feed) .

  2. Bart

    “…the exploit can also be used to spread and launch malicious programs over network shares.”

    What are “network shares”?

    1. BrianKrebs Post author

      Bart — If you share files across a network, the folders or drives you share are called network shares. If you haven’t set up your network to share specific files or folders, then you likely don’t have network shares.

  3. Aurelius

    Question is how effective is this FixIt as a workaround? Does it prevent exploitation using any and all of the attack vectors (removable media, network shares, WebDAV, documents and webpages), or just some of them? It’s not immediately clear from the MS advisory if there’s any difference between the various reported attack vectors that might make this workaround ineffective for some of them. I guess common logic says that if the FixIt disables icon processing for shortcut files (PIF & LNK) then it doesn’t matter where the malicious shortcuts come from, USB or webpage or document or network share, the icon should be blanked out and the exploit impossible, right?

  4. xAdmin

    The remote attack vector is the biggest threat for me as I don’t use USB devices and have strict control over my internal network and network attached storage (NAS). So, I’m comfortable with the mitigating step of disabling the WebClient service, something I’ve been doing anyway as part of a defense in depth strategy of disabling unneeded services to lower the attack surface of the system.

    The other local attack vectors I’m less worried about because they are directly under my control and are well covered by other defensive measures. I guess my main point is that a multi-layered defense will provide the best peace of mind and minimize panic when these types of threats pop up. You can then gather information on the threat and make an educated decision if any further steps are necessary. No need to run around with your hair on fire! πŸ˜›

  5. Michael

    Are people aware that Microsoft’s Advisory says just browsing to a web site that’s been infected with a malicious .lnk on IE will trigger the exploit because IE will try to load the shortcut’s icon? The word is will, not may. Sounds super scary to me. Image display’s always disabled on my FF anyway but don’t know if this helps as I’m a non-geek. BTW, my XP Home icons are way uglier than any of those shown above, even the plain white one. I’d settle for plain white ones any day.

    1. KFritz

      Ugly isn’t as important as being able to IDENTIFY the icon for easy, quick use.

      The only aesthetically pleasing item I’ve ever found fr/ MS is the deep blue color which goes well w/ the LOTR paintings fr/ Ted Naismith that I use for opening screens.

      http://www.tednasmith.com/tolkien.html

      1. Michael

        True, but I’ve had this laptop for a long time and know where the shortcuts are and I’m beginning to *like* my mangled desktop, ugly as it is.

  6. Nogero

    @JBV Thanks, but that isn’t the issue. I already am subscribed to RSS via Google Reader. I get to Krebs site by a link from iGoogle. The webpage thinks igoogle/google reader is from a google search, it isn’t.

    1. Doug

      I have the exact same response when I click on the RSS feed from iGoogle, (quote: “Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.
      You may also subscribe by email in the sidebar”).

      It is mildly annoying but I like and appreciate Brian’s work so I don’t care.

      Am using Firefox with the NoScript, Permit Cookies, Scrapbook & Adblock Plus add-ons.

        1. Doug

          Yes, I should of mentioned that! πŸ™‚

          Am happily using WIN XP Pro Service Pack 3 on A Dell Inspiron 530, Core 2 Duo E6550 @2.33Ghz. (Aside: I boot in about 50 seconds, shutdown in 6-7 seconds, but usually only reboot after the monthly MS updates.)

          Brian, thanks for all the work you do for the community – it is greatly appreciated.

  7. Sile

    Michael-
    That’s certainly a disturbing notice that I missed. We don’t use IE here at work as a safety precaution, but I’m going to have to check to see if FireFox leaves us open on that score. Thanks for the heads-up. Time to go re-read that MS post again to see if there’s any other little gems I missed.

  8. Axel

    If you’d like to stay on the secure side and nevertheless see your original icons – at least for some shortcuts – then you could use internet shortcuts. It’s only necessary to copy the following four lines in an editor and save the file with the extension “url”, i.e. for Notepad – notepad.url:

    [InternetShortcut]
    URL=c:\windows\system32\notepad.exe
    IconIndex=1
    IconFile=c:\windows\system32\notepad.exe

    1. Peter

      Has anyone installed and used/tested this tool? What have the results been?

      1. Michael

        SANS says the Sophos tool works for .LNKs but not for .PIFs.

      2. xAdmin

        Haven’t tried it. I’ve always been very uncomfortable implementing third party fixes. Would rather it come from the vendor directly! Regardless of whether it’s effective or not, IMO, such third party fixes complicate the situation as you’ll have to uninstall it before installing Microsoft’s official patch (when it gets released, hopefully soon). Then you have to hope that the Sophos tool doesn’t leave something behind that may interfere with Microsoft’s patch or prevent its installation.

        From what I’ve read on Sophos’ fix, it seems more a marketing strategy of, “Look, we came up with a fix, try our product!”

        From their site (first link of MowGreen’s post):
        “Sophos customers are safe from this exploit. Not a Sophos customer? Try Sophos Endpoint Security and Data Protection for free.”

  9. xAdmin

    Something that hasn’t been said enough is the value of using a limited user account! As with most malware, it needs full administrator access to fully infect a system. Those areas of the hard drive and registry (listed below) are READ ONLY when you’re logged in with a limited user, so the malware is unable to write there and is unable to do its bidding! Of course all of this is assuming malware gets past your primary defenses first. Thus, the value of a multi-layered defense!

    From Sophos (http://www.sophos.com/security/analyses/viruses-and-spyware/w32stuxnetb.html):

    “When W32/Stuxnet-B is run, it installs rootkit component by creating files:

    \drivers\mrxcls.sys
    \drivers\mrxnet.sys

    The file mrxcls.sys and mrxnet.sys are registered as new services named “MRxCls” and “MRxNet, with display names of “MRXCLS” and “MRXNET” respectively. Registry entries are created under:

    HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
    HKLM\SYSTEM\CurrentControlSet\Services\MRxNet

    The rootkit component has funcionalities to hide the presence of W32/Stuxnet-B.”

    Symantec has more (http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-071400-3123-99&tabid=2) including mentioning:

    “Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.”

  10. Phoenix

    I got an unexpected result when I ran Microsoft’s Fixit: All it did was open Microsoft Security Essentials (which I as using as my anti-virus). I tried again this time as administrator and got the same result. I ran a scan and came up with nothing. Running Windows 7 64 bit.

  11. PC.Tech

    @ xAdmin

    “… Would rather it come from the vendor directly”
    We’d ALL like to have that, and if M$ had given us a better workaround than that crap “FixIt” for this issue, we wouldn’t be looking for something better. BTW, the ISC offered it up:
    http://isc.sans.edu/diary.html?storyid=9268

    .

    1. xAdmin

      I agree Microsoft’s workaround/fixit is sub-par to say the least. I’m not saying anyone shouldn’t use it or Sophos’ tool. For the record, I’m NOT using either. I feel quite comfortable with the multiple layers of defense that are already in place on my systems, so I’ll leave it at that and take my risks as they may be while I wait for Microsoft to release a patch. Everyone has to make up their own mind on how best to proceed based on their environment and perceived risk level.

      I just wanted to make the point that third party fixes can complicate the issue and that they will most likely have to be backed out before installing Microsoft’s official patch (when it’s released). Besides, it goes against my strict rule of limiting what software is installed and keeping the system in as clean a state as possible. Not to mention I question the real efficacy of the Sophos tool and their intentions. But, that’s my own cynicism. πŸ™‚

      Also, while I frequent Sans ISC numerous times a day and did see the Sophos diary post, I don’t believe it’s an endorsement of the Sophos tool or that it makes the tool any more important. They’re just passing along the info. πŸ™‚

Comments are closed.