Forgot your password?
typodupeerror
Microsoft Security Windows Worms News IT

Microsoft To Issue Emergency Fix For Windows .LNK Flaw 112

Posted by Soulskill
from the tee-plus-two-weeks dept.
Trailrunner7 writes "Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet malware. The advance notification from Microsoft on Friday said that the company is patching a critical vulnerability that is being actively exploited in the wild and affects all supported Windows platforms. The LNK flaw in the Windows shell was first identified earlier this month when researchers discovered the Stuxnet worm spreading from infected USB drives to PCs. Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer."
This discussion has been archived. No new comments can be posted.

Microsoft To Issue Emergency Fix For Windows .LNK Flaw

Comments Filter:
  • Realtek certificate (Score:4, Interesting)

    by John Saffran (1763678) on Saturday July 31, 2010 @06:30AM (#33094242)
    The most interesting aspect of this rootkit was the use of the Realtek private key to sign the drivers. According to Kapersky [threatpost.com]:

    Microsoft malware researchers said on Friday that they had been working with VeriSign to revoke the Realtek certificate, a process that Realtek officials signed off on. The certificate in question actually expired in June. Microsoft oficials also said that they expect other attackers to begin using the techniques utilized by Stuxnet.

    In hindsight the vendor certificate is a weakness in the entire process simply because access to the signing key bypasses the controls in place. Hardware vendors aren't likely to be as concious, at least until this incident, of the need to maintain proper security around their singing keys, nor are there requirements enforcing such security. In comparison keys used for financial transactions are generally held in HSMs with strong access controls around them to prevent the revealing of the private key. This particular rootkit was specifically confined to SCADA so the impact was always going to be small, but the malware could've easily been targetted to attack general windows installs .. who knows how much damage it could've caused then?

    Luckily this specific certificate was going to expire soon so there was probably less resistance from the vendor in revoking it than there might've been, but if such revokation was going to invalidate significant numbers of drivers then that would've posed the problem of either leaving the certificate valid to be used for other types of malware or revoking it and invalidating however many drivers had already been signed by that key. Unfortunately it's not very likely that hardware manufacturers will ever submit to using HSM-type devices or the processes necessary to ensure key secrecy, so it looks like this will just have to be yet another potential attack vector that's caused by vendor negligence.

    • by Calydor (739835)
      Hardware vendors aren't likely to be as concious(sic), at least until this incident, of the need to maintain proper security around their singing keys

      Damn those karaoke bars streaming live to the net!
    • Can't Microsoft remove the certificate from Windows through a patch? Then they could say "secure your signing certs or we'll delete your certs from Windows and you'll have a shitstorm of angry clients who can't use your drivers to deal with".

      • by vadim_t (324782)

        Certificates don't work like that.

        Micorosft runs a Certificate Authority. This has a public and private key. The public key is part of a Windows install. They use the private key is kept safely somewhere at MS, and used to sign certificates for other companies like Realtek.

        Then at install time, there is a check: this driver is signed by the Realtek key, which itself is signed by the Microsoft key. Therefore it's trusted, and it's okay to install.

        For revocation, MS will public a revocation list somewhere, wh

        • Right, I was thinking about something closer to browsers, which include a large list of CA Certs, but you can remove on of them and then all the certs signed by that CA would not be trusted.

          I thought Windows included a large number of HW manufacturers' certs, not a single "Microsoft cert" with which HW certs were signed against.

        • Re: (Score:3, Insightful)

          by sjames (1099)

          Fine then, the question is why doesn't MS REVOKE the Realtek cert?

          The USEFUL answer is that they did.

    • by TheLink (130905)
      The part I'm wondering about is are those Realtek signed components actually Realtek components?

      e.g. Did Realtek screw up on the cert handling or the components were actually made by realtek but were flexible enough to be abused by hackers?
    • by gad_zuki! (70830)

      Its incredible that MS doesnt force a UAC check on signed drivers install. That's really the fix, not this patch. These companies will never be able to properly secure their keys. Its time we started admitting that the trust in signed code is forever broken.

  • by Two99Point80 (542678) on Saturday July 31, 2010 @06:38AM (#33094274) Homepage
    This is just a copy (minus links) of the article at Threatpost. How about at least crediting the source?
  • by rduke15 (721841) <rduke15NO@SPAMgmail.com> on Saturday July 31, 2010 @06:41AM (#33094282)

    I still haven't understood what this .lnk flaw actually is, or what fun things it might be used for (and how).

    The previous discussion about this talked about SCADA systems, so I read the wikipedia article about SCADA but still don't quite get what it really is. And the vulnerability seemed to only be exploited on one particularly stupid system which used a hard-coded password.

    And it seemed to also require the use of Autorun/Autoplay which should obviously be disabled anyway. I have 2 files to take care of that on all my USB drives:

    Autorun.inf:

    [AutoRun]
    open=autorun.cmd
    shell\open\Command=autorun.cmd
    shell\explore\Command=autorun.cmd

    And autorun.cmd:

    @ECHO OFF
    ECHO ALERT: You have autorun enabled on this drive (%~d0)!
    ECHO.
    ECHO Trying to disable it:
    @ECHO ON

    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun" /ve /t REG_DWORD /d 255 /f
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /d "@SYS:Autorun-Disabled" /f

    @ECHO OFF
    ECHO.
    ECHO You may need to reboot.
    ECHO.
    @pause

    • Your fix doesn't matter as 99% of people out there will wonder around with autorun enabled.

      MS have to copy Apple's way of doing things. How long it took for Apple to fix the "startup items" flaw? They changed the scheme of doing things, did couple of permission tricks and prompted user with a complete non nerd window saying "Wrong permissions in Startup Items" like thing, with 2 options "fix" "don't fix", "fix" selected by default.

      Or, they figured Input Manager functionality which allows running from user's

    • Re: (Score:2, Interesting)

      by alexhs (877055)

      From what I've understood, it is a buffer overflow in the way .lnk are handled that has been exploited.

      It doesn't require autorun, just the reading of the .lnk (which happens when you're displaying the .lnk in the explorer)

      The flaw has been discovered from Stuxnet, a virus that happens to target specific systems, but is in no way limited to these systems.

      By the way, does anyone know if it is possible to put a noexec on USB keys like you can on unices ? Although it wouldn't help about this flaw, it is usuall

    • by noesckey (1841502) on Saturday July 31, 2010 @08:13AM (#33094604)
      Stuxnet functions even if autorun is disabled: http://www.sophos.com/pressoffice/news/articles/2010/07/stuxnet.html [sophos.com]
    • Re: (Score:1, Informative)

      by Anonymous Coward

      Please mod this down, the bug in the lnk handling does in no way require autorun, just browsing the folder will do. This btw also works with webdav shares (have fun ie users).

    • Re: (Score:1, Informative)

      by Anonymous Coward

      I still haven't understood what this .lnk flaw actually is,
      ...
      And it seemed to also require the use of Autorun/Autoplay.

      Than please do not comment upon it that way. And no, it does not need Autorun/Autoplay.

      Just getting the shortcut displayed in your file-browser window is enough to trigger the "exploit". And as most installations are "helpfull" enough to open the root-folder of the removable media you put into the machine that "looking at" is fully automated.

      Even if not, simply clicking on the USB-sticks

    • by jroysdon (201893)

      SCADA systems are the type of things that control nuclear reactors, power generation, power distribution, water distribution, and many more.

      For this reason the Siemens attack used a USB method, as typically SCADA systems are either heavily firewalled and/or air-gapped. Sneaker-net should be the only way to get into those networks when done right, and even then sneaker-net methods should be very restricted.

      Siemens HMI/SCADA [siemens.com].

  • by HangingChad (677530) on Saturday July 31, 2010 @06:44AM (#33094290) Homepage

    Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer.

    How do you suppose the crackers got a hold of Realtek's digital certificate? Seems to imply a level of sophistication that goes beyond most virus writers, many of whom are industry professionals these days. A government-backed organization maybe or well-funded industrial espionage.

    Behold the true face of cyberwar!

    • by alphatel (1450715) * on Saturday July 31, 2010 @07:30AM (#33094452)
      Agreed, who cares what the vulnerability is - exploits are never-ending. The digitally signed certificate is a sure-fire method of defeating a number of defense mechanisms and penetrate the MS core even further. As always, the benefit to the code writer is that any MS OS can be fooled, including server systems.
      • Re: (Score:3, Insightful)

        by AmberBlackCat (829689)
        So, if they had acquired the signature for Red Hat's online repository, Fedora wouldn't be vulnerable? If the user clicks yes to accept a Fedora key, that's less risky than clicking to accept a key on Windows?
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Virus authors aren't script kiddies anymore. They're trained software engineers. Remember Conficker? It had an implementation of MD6 only a few weeks after the specifications were release(It even contained a buffer overflow which was a fault in the specifications). However, to get a digital certificate signed, I'm guessing some bribery was in order. I'm guessing spam pays a lot these day, when it's done right.

    • by v1 (525388)

      How do you suppose the crackers got a hold of Realtek's digital certificate?

      My best speculation on that is an actual hacker (or hacker group) managed to extract the private key through nefarious means, possibly via a botnet-controlled or similarly zombified computer inside realtek, and then it was sold on the underground malware market.

      It's very unlikely the makers of Stuxnet were actually the ones that stole the key in the first place. Does make one wonder how much such a key would go for? I would expect

  • Windows 2000 users (Score:5, Informative)

    by trifish (826353) on Saturday July 31, 2010 @06:46AM (#33094296)

    A friendly warning to all Windows 2000 users out there, your OSs will remain vulnerable (unless you have a private agreement with MS).

    Support for you ended two weeks ago.
    http://support.microsoft.com/lifecycle/?LN=en-us&x=17&y=3&p1=3071 [microsoft.com]

    • As a person in TV industry, I can really relate to "people still running windwos 2000" but, trust me, it is absolutely suicidalif one doesn't run a commercial quality AV actually doing heuristics like Kaspersky or F-Secure.

      I am not a shareholder in these companies of course, it is just that they are running way deeper security checks and actually watching what really happens on the OS. People blame them for being heavier than "freeware av" for that reason.

      If you can live with pro-active way of doing things,

    • Re: (Score:3, Insightful)

      by Mhtsos (586325)

      This is especially important to anyone actually using the SCADA software this virus attacks. Some versions of WinCC are incompatible with XP (as in "only certified to run on windows 2000" i'm sure nothing technical prevents running in XP). So actually quite a large portion of the target group remains unpatched.

    • by gad_zuki! (70830)

      This attack can only use the credentials of the logged in user. Running as limited user limits its ability to do anything outside of your profile. That and basic AV means Win2000 is usable for a long time in the future.

    • by antdude (79039)

      Is the free version of the latest Avast AV enough for updated Windows 2000 SP4 users?

  • This virus made it's rounds through my work (Fortune 50 company). Man the clean-up was disruptive. Mcafee was quick with a patch to clean our computers, but I there were petabytes of storage to clean world wide.
  • by Ilgaz (86384) on Saturday July 31, 2010 @07:27AM (#33094450) Homepage

    For some reason, MS will shy away from mandadory CRL/OCSP checks. Bandwidth issues for 1 kb traffic?

    Realtek drivers, as they are software/hardware hybrid (more like softmodem) with unneccesarry junk like an extra control panel weights around 40 MB. Everyone knows it since we have to deal with their aspx powered weirdo site when vendors, including Apple Inc. installs old version of drivers. What kind of harm would Windows do asking certificate vendor (Verisign in this case) if the certificate is real?

    This is also a mistake by Apple too, they don't enable ocsp, at least to "best attempt" in fresh OS X install. You gotta do it in keychain utility preferences. Sad that, on OS X way of doing things, that would mean an instant security boost since native OS X apps uses the same framework for SSL comms.

    Funny is, this is also a problem on Symbian which doesn't rely on "app store". For example, on Nokia E71, one must live a complete usability hell if he/she enables "online certificate revocation check". They just couldn't fix the freaking UI and disabled online certificate check for signed symbian apps. So what happens if some dumb shareware vendor loses their certificate or they actually freely sign malware? You install AV. All this for saving (!) 1 KB of traffic.

    So, even if Verisign revokes it (or hurries, whatever), it won't have any effect until MS/Apple/Symbian (don't know others) wake up and enable certificate revocation checks by default in these days even your heater is connected to the internet.

    • They can revoke keys but then there is a new problem:

      -What if the system becomes unusable without a certain driver ( maybe even because the rootkit kills the system deliberate in that case). Who is responisble.
      -If the user gets prompted, what are his options? (e.g. in the simple case his system clock is wrong, but the error message is not clear).
      -What if revoking disables the sound of 66% of the windows machines and ONLY disable 0,001% the rootkit (but not even the actual virus).

      If you think this over, you

  • Why is this called an "emergency" fix? Just curious.
    • Re: (Score:3, Informative)

      by Shados (741919)

      because for various reasons (some that are even good), Microsoft only normally release patches once a month. When they can't wait, they call it an emergency fix. Simple enough?

  • by kingdominic (1868276) on Saturday July 31, 2010 @10:16AM (#33095118)
    The .LNK Binary File Format is an Open Specification provided by Microsoft via the following document:
    http://msdn.microsoft.com/en-us/library/dd871305(PROT.13).aspx [microsoft.com]
    ~ king
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      How does that do us any good though? It's not like Microsoft's implementation can be easily replaced is it? Do they use a well documented stand alone library for working with .lnk files? One that I could just plug in an alternate implementation of by exporting the same symbols? Probably not. Its probably lumped in with hundreds of other unrelated functions in some binary that can't be replaced without a significant amount of reverse engineering.

      In the end you're still at Microsoft's mercy. Hope their

  • by Anonymous Coward

    SP2 support ended earlier this month. You know what that means. No patch unless you have a custom support contract. Hasta la vista.

  • While they are at it they should remove the functionality to open a .lnk file in media player. My wife had media player as the default player, and she had some .mp3 files on her system. I'm guess she got these from limewire or something. They wouldn't play in itunes, so I tried opening them in media player and it said it was a filetype that didn't match it's extension, open anyways? So I said yes, thinking that it might of been a wma that was renamed by a dummy, and then instantly a web browser window opene

Help! I'm trapped in a PDP 11/70!

Working...