Failed LNK patch from 2010 now an issue in 2015 (for WinXP users)

A heads up about this article.

http://arstechnica.com/security/2015...ts-since-2010/

In 2010, Microsoft patched an issue, where a specially
constructed LNK (shortcut) file on a USB stick, could
be evaluated by shell32 and be used to infect the computer.
Most people are aware, when plugging in USB sticks,
that autorun.inf can contain content which can be
executed immediately. Well, even if you have your
autorun turned off, the LNK thing is still an issue.

On Patch Tuesday (Mar 2015), Microsoft patched SHELL32.dll again,
only this time, there is no patch for WinXP. The other
OSes got patched.

It turns out, that the Microsoft patch in 2010, wasn't
good enough. There is still an issue with this exploit.
If you pick up a USB stick lying in the employee parking
lot, plug it into a WinXP SP3 2010 patched computer, you
could still be infected. Even if your autorun.inf is turned
off.

This is the patch that was applied August 2010. I can
find evidence I installed this on my machine, when the
patch came out.

https://technet.microsoft.com/library/security/2286198

The "meat" of that one, is here.

https://technet.microsoft.com/library/security/ms10-046

In MS10-046, it lists some "workaround techniques" as
well as a Fixit enable/disable for LNK. I have been
unable to find a reference to the Fixit, so I don't
know the two numbers of the Fixit files. You could follow
the manual procedure in MS10-046 even today, given
the continued vulnerability. There were some
complaints about the Fixit, in that it "caused my icons
to disappear". So using the Fixit as an easy way to
disable that execution path, isn't without side effects.

The manual fix consists of two steps:

1) Disabling LNK via Registry.
2) Turning off WebDAV service, as a second attack path.
(SMB shares combined with WebDAV)
This has side effects (see the podcase below).

The G-DATA site has "G DATA LNK-Checker (4,35 MB)". It
is a tool that can scan a USB stick when it is plugged
in, and see whether the LNK onboard is dangerous or not.
But it will not prevent trouble, if a user actually
double-clicks on the LNK. G-DATA recommends the usage
of an AV program, to cover such a possibility. So
it's possible this could function as a replacement for (1),
without messing up the icons quite the way (1) does.
It's not clear if the G-DATA one covers LNK and PIF
or just LNK.

http://www.infoworld.com/article/262...t-attacks.html

https://www.gdatasoftware.co.uk/downloads (under the "Tools" tab...)

Installer for G-DATA mitigation of LNK.
https://public.gdatasoftware.com/Pro...r_EN.setup.exe

-------

http://www.sophos.com/en-us/security.../shortcut.aspx

Installer for Sophos mitigation of LNK.
http://downloads.sophos.com/custom-t...n %20Tool.msi

Podcast from 2010 about your exposure... (12,820,238 bytes)
http://web.archive.org/web/201209270...odcast-072.mp3

I'm thinking, some combination of one of those
tools, plus disabling WEBDAV, might be sufficient
so you can start picking up those USB sticks
in the employee parking lot and plugging them
into your WinXP SP3 computer.

That's about as far as I got. Not a real
solid strategy... The ingredients are there, if you
put the time into it.

If you're using an AV, it likely already does the
scanning of the USB stick for you. So that's another
way to cover the "USB stick in the parking lot" attack.
Since this exploit method has been around since 2010,
it should be covered, for as long as WinXP AVs are
available.

*******

And no. I haven't fixed mine yet. I'll wait until
some IT guy wanders in here and gives a bit of
feedback first.

Paul

| On Patch Tuesday (Mar 2015), Microsoft patched SHELL32.dll again,
| only this time, there is no patch for WinXP.

Unless you're working for a corporation or government
who've paid for support. MS will have a patch for XP. They
just won't let us have it. As the saying goes, this is not
your father's Sears store.

I checked out the details and this doesn't seem to be
a big issue for most people. In the case of USB sticks,
one should never pick one up in a parking lot for use,
anyway. In the case of WebDAV, anything like WebClient
service should be disabled on a private computer. Being
at risk would require enabling WebClient *and* viewing
files on an unsafe machine.

This is a classic case of corporate issues. If I remember
correctly, the Stuxnet infection was pulled off by leaving
around infected USB sticks. In a business setting that might
work. In a business setting people are also likely to have
full networking set up. They could protect themselves by
just using common sense: Don't use unknown USB sticks
in a high security nuclear facility and don't use an intranet-
connected PC to go online. For those of us who don't work
in business it's even easier to follow those guidelines.

To put it another way, anyone who's enabling network
functionality on their standalone PC is probably at risk for
a large number of attacks. Like javascript in a browser, it's
very risky behavior that's taken far too lightly.

Remember the Messenger bug when XP first came out?
Microsoft enables services for networked PCs by default and
had left Messenger service enabled by default. (Not Windows
Messenger. Messenger service is for providing a way that
the IT dept could, for instance, send a popup to every PC
in a company saying, "Don't forget to shut down your
computers for the holiday".) People were getting spam
messages on their XP boxes from operators online exploiting
the Messenger service!
Messenger service was just one of many that should be
disabled on most machines, but it's probably the only one
that is.

There's no excuse for Microsoft's default services. It's just
another example of the way they risk security (and increase
bloat) in order to make Windows seem user-friendly, giving
millions of people unsafe networking functionality so that a
few people can experience it as working effortlessly, "out
of the box".

On Wed, 11 Mar 2015 09:28:43 -0400, Mayayana wrote:

There's no excuse for Microsoft's default services. It's just
another example of the way they risk security (and increase
bloat) in order to make Windows seem user-friendly, giving
millions of people unsafe networking functionality so that a
few people can experience it as working effortlessly, "out
of the box".

The problem is, Microsoft is very good at it and more users seems taken by
it.

Dazzle first, deal with the problems later. Uh, huh...

In message , Paul
writes:
A heads up about this article.

http://arstechnica.com/security/2015...-remained-vuln
erable-to-stuxnet-usb-exploits-since-2010/

In 2010, Microsoft patched an issue, where a specially
constructed LNK (shortcut) file on a USB stick, could
be evaluated by shell32 and be used to infect the computer.
Most people are aware, when plugging in USB sticks,
that autorun.inf can contain content which can be
executed immediately. Well, even if you have your
autorun turned off, the LNK thing is still an issue.

On Patch Tuesday (Mar 2015), Microsoft patched SHELL32.dll again,
only this time, there is no patch for WinXP. The other
OSes got patched.

How about POS-XP?
[]
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

If you don't know how to orient your card to swipe it through the reader, the
checkout person will say, "Strip down, face toward me." (DNRC newsletter 1997)

J. P. Gilliver (John) wrote:
In message , Paul writes:
A heads up about this article.

http://arstechnica.com/security/2015...-remained-vuln
erable-to-stuxnet-usb-exploits-since-2010/

In 2010, Microsoft patched an issue, where a specially
constructed LNK (shortcut) file on a USB stick, could
be evaluated by shell32 and be used to infect the computer.
Most people are aware, when plugging in USB sticks,
that autorun.inf can contain content which can be
executed immediately. Well, even if you have your
autorun turned off, the LNK thing is still an issue.

On Patch Tuesday (Mar 2015), Microsoft patched SHELL32.dll again,
only this time, there is no patch for WinXP. The other
OSes got patched.

How about POS-XP?
[]

I'm sure it got a new shell32.dll.
But I'm not set up for updates from that.

I haven't seen any feedback on whether going
the POS update path, has caused problems or not.
I wouldn't promote POS, unless there was positive
feedback.

[ POS = WinXP version running Point Of Sale terminals,
whose WinXP updates can be abused to keep a WinXP
system up to date ]

Paul