Microsoft releases FixIT for Windows Shortcut zero day attacks
Best practices and technical defenses should be used to avoid new attacks related to malicious spoofed Windows shortcuts. Currently these zero-day attacks are not circulating extensively, and have only surfaced in limited targeted attacks. However, this is likely to change as note in articles at bottom, as malicious developers are exploring new conduits for seeding this in-the-wild.
The danger of these attacks are that spoofed short-cuts can easily trick anyone into selecting them. Also, automated settings in autorun could lead to completely automatic attacks, when the exploit is circulated using removable devices or unsecure network shares.
Microsoft releases FixIT for Windows Shortcut zero day attacks
http://www.zdnet.com/blog/security/ms-ships-temporary-fix-it-for-windows-shortcut-zero-day-attacks/6916
QUOTE: Microsoft has released a “fix-it” tool as a stop-gap to block ongoing zero-day attacks against a new code execution flaw in Windows Shell. The attacks, which incorporate signed drivers from RealTek and JMicron, are spreading locally via malicious USB drives or remotely via network shares and WebDAV. Microsoft has posted a pre-patch advisory that spells out the problem:
Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/2286198.mspx
QUOTE: The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.
DOWNLOAD FIX IT PATCH FROM HERE:
Microsoft Security Advisory: Vulnerability in Windows Shell could allow remote code execution
http://support.microsoft.com/kb/2286198
QUOTE: Applying the Fix it will require a restart of the machine. The installation of the Fix it will prompt the user before restarting the system.
TIP: Always download both the Fixit and Undo Fixit patches, carefully labeling them in separate folders. After a true patch emerges, both temporary Fixit tools will be removed from the kb in favor of the new security bulletin. While the full security release will usually take care of undoing the FixIt, it's good to have the Undo Fixit available just in case it's needed (as corporate inventory systems may not handle temporary fixes accurately).
SPECIAL WARNING: The Internet Storm Center warns Windows 2000 users to be especially careful as there will most likely be no forthcoming patch. Windows XP users must move to SP3 so they can recieve this protective patch when it becomes available.
ADDITIONAL PROTECTION TO FIX-IT PATCH: Disabling AUTORUN, keeping AV updated, and best practices are in order for all operating systems
HOW TO DISABLE AUTORUN FOR USB
http://support.microsoft.com/kb/967715
INTERNET STORM CENTER - Windows shortcut dangers
http://isc.sans.edu/diary.html?storyid=9217
http://isc.sans.edu/diary.html?storyid=9181
http://isc.sans.edu/diary.html?storyid=9190
AVERT LABS - EXCELLENT FAQ
http://www.avertlabs.com/research/blog/index.php/2010/07/19/microsoft-0day-malformed-shortcut-vulnerability/
QUOTE: How widely is the issue being exploited? . The issue is known to be exploited by malware in the wild. Initial attacks were limited. However, an exploit module in metasploit was published today that uses WebDAV shares as an exploit vector. We expect wider exploitation of this issue. Users should keep their anti-virus software updated with the latest DATs (signatures).