Comments on: Tool Blunts Threat from Windows Shortcut Flaw

By: Patrick

Patrick — Thu, 27 Jan 2011 01:03:27 +0000

Cool shortcuts, very useful. Thanks a bunch!!! I found a few more shortcuts here: http://www.usingcomputers.co.uk/tutorials/useful-windows-shortcuts.php its worth taking a look at combined with this article. Thanks, keep up the good posts!

Big Thanks

Like or Dislike: 0 0

By: Axel

Axel — Tue, 27 Jul 2010 22:36:07 +0000

FYI. Another tool – G Data’s LNK-Checker was mentioned by heise online:
http://www.h-online.com/security/news/item/Anti-virus-vendors-offer-free-LNK-protection-Update-1046183.html

Like or Dislike: 0 0

By: xAdmin

xAdmin — Tue, 27 Jul 2010 17:47:26 +0000

I agree Microsoft’s workaround/fixit is sub-par to say the least. I’m not saying anyone shouldn’t use it or Sophos’ tool. For the record, I’m NOT using either. I feel quite comfortable with the multiple layers of defense that are already in place on my systems, so I’ll leave it at that and take my risks as they may be while I wait for Microsoft to release a patch. Everyone has to make up their own mind on how best to proceed based on their environment and perceived risk level.

I just wanted to make the point that third party fixes can complicate the issue and that they will most likely have to be backed out before installing Microsoft’s official patch (when it’s released). Besides, it goes against my strict rule of limiting what software is installed and keeping the system in as clean a state as possible. Not to mention I question the real efficacy of the Sophos tool and their intentions. But, that’s my own cynicism.

Also, while I frequent Sans ISC numerous times a day and did see the Sophos diary post, I don’t believe it’s an endorsement of the Sophos tool or that it makes the tool any more important. They’re just passing along the info.

Like or Dislike: 1 0

By: PC.Tech

PC.Tech — Tue, 27 Jul 2010 16:02:12 +0000

@ xAdmin

“… Would rather it come from the vendor directly”
We’d ALL like to have that, and if M$ had given us a better workaround than that crap “FixIt” for this issue, we wouldn’t be looking for something better. BTW, the ISC offered it up:
- http://isc.sans.edu/diary.html?storyid=9268

Like or Dislike: 0 2

By: Phoenix

Phoenix — Tue, 27 Jul 2010 14:44:16 +0000

I got an unexpected result when I ran Microsoft’s Fixit: All it did was open Microsoft Security Essentials (which I as using as my anti-virus). I tried again this time as administrator and got the same result. I ran a scan and came up with nothing. Running Windows 7 64 bit.

Like or Dislike: 0 2

By: xAdmin

xAdmin — Tue, 27 Jul 2010 14:43:14 +0000

Something that hasn’t been said enough is the value of using a limited user account! As with most malware, it needs full administrator access to fully infect a system. Those areas of the hard drive and registry (listed below) are READ ONLY when you’re logged in with a limited user, so the malware is unable to write there and is unable to do its bidding! Of course all of this is assuming malware gets past your primary defenses first. Thus, the value of a multi-layered defense!

From Sophos (http://www.sophos.com/security/analyses/viruses-and-spyware/w32stuxnetb.html):

“When W32/Stuxnet-B is run, it installs rootkit component by creating files:

\drivers\mrxcls.sys
\drivers\mrxnet.sys

The file mrxcls.sys and mrxnet.sys are registered as new services named “MRxCls” and “MRxNet, with display names of “MRXCLS” and “MRXNET” respectively. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet

The rootkit component has funcionalities to hide the presence of W32/Stuxnet-B.”

Symantec has more (http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-071400-3123-99&tabid=2) including mentioning:

“Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.”

Like or Dislike: 2 0

By: xAdmin

xAdmin — Tue, 27 Jul 2010 14:06:56 +0000

Haven’t tried it. I’ve always been very uncomfortable implementing third party fixes. Would rather it come from the vendor directly! Regardless of whether it’s effective or not, IMO, such third party fixes complicate the situation as you’ll have to uninstall it before installing Microsoft’s official patch (when it gets released, hopefully soon). Then you have to hope that the Sophos tool doesn’t leave something behind that may interfere with Microsoft’s patch or prevent its installation.

From what I’ve read on Sophos’ fix, it seems more a marketing strategy of, “Look, we came up with a fix, try our product!”

From their site (first link of MowGreen’s post):
“Sophos customers are safe from this exploit. Not a Sophos customer? Try Sophos Endpoint Security and Data Protection for free.”

Like or Dislike: 1 1

By: Michael

Michael — Tue, 27 Jul 2010 13:54:30 +0000

SANS says the Sophos tool works for .LNKs but not for .PIFs.

Like or Dislike: 1 0

By: Peter

Peter — Tue, 27 Jul 2010 12:02:16 +0000

Has anyone installed and used/tested this tool? What have the results been?

Like or Dislike: 1 1

By: MowGreen

MowGreen — Mon, 26 Jul 2010 17:38:47 +0000

Sophos has a issued a tool to provide protection from this vulnerability:
Windows Shortcut Exploit
Protection Tool
http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html

Sophos KB article explaining how it works:
http://www.sophos.com/support/knowledgebase/article/111570.html

Like or Dislike: 1 0