MA-239.072010: MyCERT Alert – Critical Vulnerability in Microsoft Windows

Date of publication: 2010-07-17

1.0 Introduction

A critical vulnerability (CVE-2010-2568) has been identified in the Microsoft Windows that executes code specified in shortcut files (.LNK). The vulnerability, if successfully exploited could potentially allow an attacker to execute arbitrary code with the privileges of the user on the affected system.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. Essentially, this vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited.

MyCERT is aware that a '0-day' exploit is being exploited in the wild at the time of the publication of this advisory.

2.0 Impact

An attacker who successfully exploits this vulnerability will be able to execute arbitrary codes remotely and take control of the affected system.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

• Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista Service Pack 1
• Windows Vista Service Pack 2
• Windows Vista x64 Edition Service Pack 1
• Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for Itanium-based Systems
• Windows Server 2008 for Itanium-based Systems Service Pack 2
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems

4.0 Recommendations

As of the writing of this advisory, Microsoft has not released any security patches for this vulnerability. However, users can use the following steps as a temporary workaround:

4.1 Disable the displaying of icons for shortcuts

• Microsoft Security Response Center has created a Microsoft Fix It to automate this. The Fix It can be run on individual systems or enterprises can deploy it through their automated systems. The Microsoft Fix It can be obtained from the following URL: http://support.microsoft.com/kb/2286198
• If you choose to disable it manually, you can follow the following steps
• Click on Start menu and choose Run
• Type in regedit and click OK
• Delete the registry ‘Default’ key located in HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
• Restart you computer

* Note that disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.

4.2 Disable the WebClient service

• Click on Start menu and choose Run
• Type in Services.msc and click OK
• Right-click WebClient service and select Properties
• Change the Startup type to Disabled. If the service is running, click Stop.
• Click OK and exit the management application.

* Note that when the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.

MyCERT would like to advise the users of Microsoft Windows to be vigilant of the latest security announcements by Microsoft and ensure that their operating systems are automatically updated. The article on how to enable the auto update feature in Microsoft is available at the following URL:

• http://www.mycert.org.my/en/resources/os/main/main/detail/707/index.html

Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:

• http://secunia.com/vulnerability_scanning/personal/

MyCERT can be reached through the following channels for further assistance:

E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

• http://www.microsoft.com/technet/security/advisory/2286198.mspx
• http://www.kb.cert.org/vuls/id/940193
• http://www.securityfocus.com/bid/41732/
• http://www.securelist.com/en/blog/269/Myrtus_and_Guava_Episode_1
• http://www.f-secure.com/weblog/archives/new_rootkit_en.pdf