Forgot your password?
typodupeerror
Microsoft Security Windows Worms News IT

Microsoft To Issue Emergency Fix For Windows .LNK Flaw 112

Posted by Soulskill
from the tee-plus-two-weeks dept.
Trailrunner7 writes "Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet malware. The advance notification from Microsoft on Friday said that the company is patching a critical vulnerability that is being actively exploited in the wild and affects all supported Windows platforms. The LNK flaw in the Windows shell was first identified earlier this month when researchers discovered the Stuxnet worm spreading from infected USB drives to PCs. Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer."
This discussion has been archived. No new comments can be posted.

Microsoft To Issue Emergency Fix For Windows .LNK Flaw

Comments Filter:
  • Realtek certificate (Score:4, Interesting)

    by John Saffran (1763678) on Saturday July 31, 2010 @06:30AM (#33094242)
    The most interesting aspect of this rootkit was the use of the Realtek private key to sign the drivers. According to Kapersky [threatpost.com]:

    Microsoft malware researchers said on Friday that they had been working with VeriSign to revoke the Realtek certificate, a process that Realtek officials signed off on. The certificate in question actually expired in June. Microsoft oficials also said that they expect other attackers to begin using the techniques utilized by Stuxnet.

    In hindsight the vendor certificate is a weakness in the entire process simply because access to the signing key bypasses the controls in place. Hardware vendors aren't likely to be as concious, at least until this incident, of the need to maintain proper security around their singing keys, nor are there requirements enforcing such security. In comparison keys used for financial transactions are generally held in HSMs with strong access controls around them to prevent the revealing of the private key. This particular rootkit was specifically confined to SCADA so the impact was always going to be small, but the malware could've easily been targetted to attack general windows installs .. who knows how much damage it could've caused then?

    Luckily this specific certificate was going to expire soon so there was probably less resistance from the vendor in revoking it than there might've been, but if such revokation was going to invalidate significant numbers of drivers then that would've posed the problem of either leaving the certificate valid to be used for other types of malware or revoking it and invalidating however many drivers had already been signed by that key. Unfortunately it's not very likely that hardware manufacturers will ever submit to using HSM-type devices or the processes necessary to ensure key secrecy, so it looks like this will just have to be yet another potential attack vector that's caused by vendor negligence.

  • by rduke15 (721841) <rduke15@nospAm.gmail.com> on Saturday July 31, 2010 @06:49AM (#33094314)

    VirtualBox is great. I agree that dual boot is a pain, but no access to Windows at all is a pain too. I have an XP VM in VirtualBox (in Ubuntu), so I can use the few Windows-only programs I occasionally need without any trouble.

  • by alexhs (877055) on Saturday July 31, 2010 @07:53AM (#33094528) Homepage Journal

    From what I've understood, it is a buffer overflow in the way .lnk are handled that has been exploited.

    It doesn't require autorun, just the reading of the .lnk (which happens when you're displaying the .lnk in the explorer)

    The flaw has been discovered from Stuxnet, a virus that happens to target specific systems, but is in no way limited to these systems.

    By the way, does anyone know if it is possible to put a noexec on USB keys like you can on unices ? Although it wouldn't help about this flaw, it is usually better practice (as long as you're not using portable apps).

  • by kingdominic (1868276) on Saturday July 31, 2010 @10:16AM (#33095118)
    The .LNK Binary File Format is an Open Specification provided by Microsoft via the following document:
    http://msdn.microsoft.com/en-us/library/dd871305(PROT.13).aspx [microsoft.com]
    ~ king
  • by Anonymous Coward on Saturday July 31, 2010 @12:32PM (#33095914)

    How does that do us any good though? It's not like Microsoft's implementation can be easily replaced is it? Do they use a well documented stand alone library for working with .lnk files? One that I could just plug in an alternate implementation of by exporting the same symbols? Probably not. Its probably lumped in with hundreds of other unrelated functions in some binary that can't be replaced without a significant amount of reverse engineering.

    In the end you're still at Microsoft's mercy. Hope their fix works.

What this country needs is a dime that will buy a good five-cent bagel.

Working...