If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Failed LNK patch from 2010 now an issue in 2015 (for WinXP users)
A heads up about this article.
http://arstechnica.com/security/2015...ts-since-2010/ In 2010, Microsoft patched an issue, where a specially constructed LNK (shortcut) file on a USB stick, could be evaluated by shell32 and be used to infect the computer. Most people are aware, when plugging in USB sticks, that autorun.inf can contain content which can be executed immediately. Well, even if you have your autorun turned off, the LNK thing is still an issue. On Patch Tuesday (Mar 2015), Microsoft patched SHELL32.dll again, only this time, there is no patch for WinXP. The other OSes got patched. It turns out, that the Microsoft patch in 2010, wasn't good enough. There is still an issue with this exploit. If you pick up a USB stick lying in the employee parking lot, plug it into a WinXP SP3 2010 patched computer, you could still be infected. Even if your autorun.inf is turned off. This is the patch that was applied August 2010. I can find evidence I installed this on my machine, when the patch came out. https://technet.microsoft.com/library/security/2286198 The "meat" of that one, is here. https://technet.microsoft.com/library/security/ms10-046 In MS10-046, it lists some "workaround techniques" as well as a Fixit enable/disable for LNK. I have been unable to find a reference to the Fixit, so I don't know the two numbers of the Fixit files. You could follow the manual procedure in MS10-046 even today, given the continued vulnerability. There were some complaints about the Fixit, in that it "caused my icons to disappear". So using the Fixit as an easy way to disable that execution path, isn't without side effects. The manual fix consists of two steps: 1) Disabling LNK via Registry. 2) Turning off WebDAV service, as a second attack path. (SMB shares combined with WebDAV) This has side effects (see the podcase below). The G-DATA site has "G DATA LNK-Checker (4,35 MB)". It is a tool that can scan a USB stick when it is plugged in, and see whether the LNK onboard is dangerous or not. But it will not prevent trouble, if a user actually double-clicks on the LNK. G-DATA recommends the usage of an AV program, to cover such a possibility. So it's possible this could function as a replacement for (1), without messing up the icons quite the way (1) does. It's not clear if the G-DATA one covers LNK and PIF or just LNK. http://www.infoworld.com/article/262...t-attacks.html https://www.gdatasoftware.co.uk/downloads (under the "Tools" tab...) Installer for G-DATA mitigation of LNK. https://public.gdatasoftware.com/Pro...r_EN.setup.exe ------- http://www.sophos.com/en-us/security.../shortcut.aspx Installer for Sophos mitigation of LNK. http://downloads.sophos.com/custom-t...n %20Tool.msi Podcast from 2010 about your exposure... (12,820,238 bytes) http://web.archive.org/web/201209270...odcast-072.mp3 I'm thinking, some combination of one of those tools, plus disabling WEBDAV, might be sufficient so you can start picking up those USB sticks in the employee parking lot and plugging them into your WinXP SP3 computer. That's about as far as I got. Not a real solid strategy... The ingredients are there, if you put the time into it. If you're using an AV, it likely already does the scanning of the USB stick for you. So that's another way to cover the "USB stick in the parking lot" attack. Since this exploit method has been around since 2010, it should be covered, for as long as WinXP AVs are available. ******* And no. I haven't fixed mine yet. I'll wait until some IT guy wanders in here and gives a bit of feedback first. Paul |
Ads |
#2
|
|||
|
|||
Failed LNK patch from 2010 now an issue in 2015 (for WinXP users)
| On Patch Tuesday (Mar 2015), Microsoft patched SHELL32.dll again, | only this time, there is no patch for WinXP. Unless you're working for a corporation or government who've paid for support. MS will have a patch for XP. They just won't let us have it. As the saying goes, this is not your father's Sears store. I checked out the details and this doesn't seem to be a big issue for most people. In the case of USB sticks, one should never pick one up in a parking lot for use, anyway. In the case of WebDAV, anything like WebClient service should be disabled on a private computer. Being at risk would require enabling WebClient *and* viewing files on an unsafe machine. This is a classic case of corporate issues. If I remember correctly, the Stuxnet infection was pulled off by leaving around infected USB sticks. In a business setting that might work. In a business setting people are also likely to have full networking set up. They could protect themselves by just using common sense: Don't use unknown USB sticks in a high security nuclear facility and don't use an intranet- connected PC to go online. For those of us who don't work in business it's even easier to follow those guidelines. To put it another way, anyone who's enabling network functionality on their standalone PC is probably at risk for a large number of attacks. Like javascript in a browser, it's very risky behavior that's taken far too lightly. Remember the Messenger bug when XP first came out? Microsoft enables services for networked PCs by default and had left Messenger service enabled by default. (Not Windows Messenger. Messenger service is for providing a way that the IT dept could, for instance, send a popup to every PC in a company saying, "Don't forget to shut down your computers for the holiday".) People were getting spam messages on their XP boxes from operators online exploiting the Messenger service! Messenger service was just one of many that should be disabled on most machines, but it's probably the only one that is. There's no excuse for Microsoft's default services. It's just another example of the way they risk security (and increase bloat) in order to make Windows seem user-friendly, giving millions of people unsafe networking functionality so that a few people can experience it as working effortlessly, "out of the box". |
#3
|
|||
|
|||
Failed LNK patch from 2010 now an issue in 2015 (for WinXP users)
On Wed, 11 Mar 2015 09:28:43 -0400, Mayayana wrote:
There's no excuse for Microsoft's default services. It's just another example of the way they risk security (and increase bloat) in order to make Windows seem user-friendly, giving millions of people unsafe networking functionality so that a few people can experience it as working effortlessly, "out of the box". The problem is, Microsoft is very good at it and more users seems taken by it. Dazzle first, deal with the problems later. Uh, huh... |
#4
|
|||
|
|||
Failed LNK patch from 2010 now an issue in 2015 (for WinXP users)
In message , Paul
writes: A heads up about this article. http://arstechnica.com/security/2015...-remained-vuln erable-to-stuxnet-usb-exploits-since-2010/ In 2010, Microsoft patched an issue, where a specially constructed LNK (shortcut) file on a USB stick, could be evaluated by shell32 and be used to infect the computer. Most people are aware, when plugging in USB sticks, that autorun.inf can contain content which can be executed immediately. Well, even if you have your autorun turned off, the LNK thing is still an issue. On Patch Tuesday (Mar 2015), Microsoft patched SHELL32.dll again, only this time, there is no patch for WinXP. The other OSes got patched. How about POS-XP? [] -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf If you don't know how to orient your card to swipe it through the reader, the checkout person will say, "Strip down, face toward me." (DNRC newsletter 1997) |
#5
|
|||
|
|||
Failed LNK patch from 2010 now an issue in 2015 (for WinXP users)
J. P. Gilliver (John) wrote:
In message , Paul writes: A heads up about this article. http://arstechnica.com/security/2015...-remained-vuln erable-to-stuxnet-usb-exploits-since-2010/ In 2010, Microsoft patched an issue, where a specially constructed LNK (shortcut) file on a USB stick, could be evaluated by shell32 and be used to infect the computer. Most people are aware, when plugging in USB sticks, that autorun.inf can contain content which can be executed immediately. Well, even if you have your autorun turned off, the LNK thing is still an issue. On Patch Tuesday (Mar 2015), Microsoft patched SHELL32.dll again, only this time, there is no patch for WinXP. The other OSes got patched. How about POS-XP? [] I'm sure it got a new shell32.dll. But I'm not set up for updates from that. I haven't seen any feedback on whether going the POS update path, has caused problems or not. I wouldn't promote POS, unless there was positive feedback. [ POS = WinXP version running Point Of Sale terminals, whose WinXP updates can be abused to keep a WinXP system up to date ] Paul |
Thread Tools | |
Display Modes | |
|
|