Microsoft To Issue Emergency Fix For Windows .LNK Flaw
112
Trailrunner7 writes "Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet malware. The advance notification from Microsoft on Friday said that the company is patching a critical vulnerability that is being actively exploited in the wild and affects all supported Windows platforms. The LNK flaw in the Windows shell was first identified earlier this month when researchers discovered the Stuxnet worm spreading from infected USB drives to PCs. Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer."
Re: (Score:1)
Microsoft has been suffering and fixing security holes for decades, not that interesting.
Remember the Blaster worm? This is its younger cousin.
Re: (Score:2)
Re: (Score:2)
Ah. *nix had, and fixed, network vulnerabilities long before there even was a Windows. Definitely before Windows even had networking.
We know this. What's confusing is how pointing this out serves your desire for advocacy.
Also curious is how this is an emergency. The patch blocks one hole in a colander. Couldn't that wait a week?
Re: (Score:1)
Re: (Score:1)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
I hear you. Those damn Linux boot loaders can be hard to get rid of.
Indeed. I've been using SYSLINUX and COM32 for some time now and I love them to pieces. They make NTLDR, and, to a lesser extent, the Windows Boot Manager, look like kids' toys.
Re: (Score:1)
I hear you. Those damn Linux boot loaders can be hard to get rid of.
Indeed. I've been using SYSLINUX and COM32 for some time now and I love them to pieces. They make NTLDR, and, to a lesser extent, the Windows Boot Manager, look like kids' toys.
The what now? Someone needs to tell Linux that the age of the 1-click iPad has begun. There is a reason for its success. Usability is one of them. Linux is good for being l33t though.
Re: (Score:3, Funny)
...SYSLINUX....COM32...NTLDR... Windows Boot Manager...
The what now? ...the age of the 1-click iPad has begun. There is a reason for its success...
My Lawn! You BASTARD!
The 1 click wonder? (Score:3, Funny)
An ipad? ROTFL. Let's see you develop SOFTWARE for that ipad... on your ipad.
Apple users need to learn to speak without steve's hand up their anus...
Re: (Score:2)
Re: (Score:2)
No, it doesn't fill the Tablet PC niche;
Ain't that the truth.
I've got a Viliv S5, [myviliv.com] and for what I bought it for (portable MKV/h264 playback and general nerdiness), it function[ed] well (I add the past tense because there's an issue with the Windows 7 wifi driver for it that makes it damn near impossible to stream anything). I have though for the most part stopped using it in favor of AirVideo on my iPhone. Mostly because the phone fits in my pocket. While I find myself watching a TV show or something in bed and think "Hrmmz this would look bet
Re: (Score:2)
How about not using Windows media center?
Better more interoperable solutions exist. Heck you could even use vlc on your current setup and stream to whatever device you wanted so long as it can handle normal video streams.
Re: (Score:2)
It's neat stuff, but it's really waiting for a breakout to the mainstream. Windows 7 has made it vastly more powerful, but it'
Re: (Score:1, Flamebait)
Heck you could even use vlc
There's a small problem centered on VLC really, really, really, extra-super-holy-fuck-it's-a-pile-of-shit sucking. Sure it "plays everything," but until they drop FFMpeg on Windows and embrace directshow or Media Foundation (and by extension, DXVA) it's going to continue to be a heaping pile of shit until the end of time. Not to mention the shitty interface. I've never gotten optical output to work correctly on it, it eats CPU, and it wasn't until just over a year ago that you could even change the volum
Re: (Score:2)
XBox 360's are cheaper and more compact than any computer that would fit the bill, and they have a nice remote
You're welcome [google.com].
Re: (Score:2)
Re: (Score:3, Interesting)
VirtualBox is great. I agree that dual boot is a pain, but no access to Windows at all is a pain too. I have an XP VM in VirtualBox (in Ubuntu), so I can use the few Windows-only programs I occasionally need without any trouble.
getting things done (Score:2)
Re: (Score:2, Informative)
Except for the fact that I've never had a Windows box that got compromised or infected with any kind of virus, trojan or malware. Most "vulnerabilities" in Windows are user initiated. Practice a little common sense (ie. don't run things that come from questionable or unknown sources) and you are unlikely to ever see a problem.
Baloney. Let me guess, you don't have any antivirus installed either, because you don't need it? Either you haven't been using Windows for very long or your only Windows box is turned off in the corner. Back in the 90s I got a disk from my school that was infected with Stoned [wikipedia.org], and a few years later bought a CD-ROM game that came with Michelangelo [wikipedia.org] on the disc itself. Even more recently, hardware from (more or less) reputable sources come preloaded [slashdot.org] with [sunbeltsoftware.com] malware [sophos.com]. Heck, part of my job is removing malware from P
Re: (Score:2, Insightful)
If you want to play games, buy a 360...
i want to play starcraft 2 you insensitive clod..
Re: (Score:2)
All the reports on WineHQ say it works just fine.
works about as well as windows ever did (Score:2)
Years ago I bought a CD of American McGee's Alice. This was the only game cd I ever actually paid for, and I even installed XP just to run it. Guess what? It never worked. I tried tracking down support info, I tried several tricks and patches and the goddamn thing never worked. The closest I ever got that damn disk to working was under wine. Oh, the irony.
A 360 does what it does. A 360 is not a desktop with access to all my email and shit. A 360 may be a walled garden but that's fine just so long as it play
Re: (Score:3, Insightful)
If you want to play games, buy a 360...
How do you install System Shock 2 on an X-Box 360? There are games that aren't supported by $CONSOLE but that people still want to play.
If you want to do dualbooting right, just move all of your data to one of the Linux partitions and erase them from the Windows partition. Then uninstall the corresponding programs. Once you're unable to check your mail/chat/etc. in Windows you'll have a much smaller incentive to stay ther for longer than neccessary.
Re: (Score:2)
If you want to play games, buy a 360...
Do you want to sponsor me a 360 and a HDTV? No?
Re: (Score:2)
If you want to play games, buy a 360...
For those of us who don't have money, a 360 is rather expensive. I payed $20 for an NVIDIA GeForce 210 after the $30 rebate. That has 512 megs of DDR2 memory and some other pretty snazzy specs for the money. That opened up quite a few games for me. I've even managed to run Crysis (not at full spec, but it was smooth). An xbox is quite a bit more expensive than an upgrade.
Re: (Score:2)
Comments like this kinda piss me off, because they make Linux users look like idiots.
If you want to brag about the size of your e-penis, and how you "only use linux," then more power to you.
But it's pretty ridiculous to basically tell other people, "Linux isn't good at that, so fuck you, you shouldn't use a computer for it."
I use Linux on all four of my computers at home. But do you know what I would do if I wanted to play a Windows game? I'd install Windows
If they listened to Gibson,Blaster wouldn't happen (Score:1)
I remember everyone laughing at GRC.com for alerting about port 135 being wide open to net. While it can be blamed on his kind of language (nano somethings etc.) to blame, nobody listened to him and Blaster happened.
Funny thing is, even a non computer geek can be convinced that autorunning programs in this age is a bad thing in 10 seconds and yet MS doesn't disable it.
You know one of the most dangerous and destructive viruses on MacOS (not OS X) is actually named "autorun"? So, the vendor (Apple) did what?
Friday sysadmin appreciation day, (Score:5, Funny)
http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx [technet.com]
Realtek certificate (Score:4, Interesting)
Microsoft malware researchers said on Friday that they had been working with VeriSign to revoke the Realtek certificate, a process that Realtek officials signed off on. The certificate in question actually expired in June. Microsoft oficials also said that they expect other attackers to begin using the techniques utilized by Stuxnet.
In hindsight the vendor certificate is a weakness in the entire process simply because access to the signing key bypasses the controls in place. Hardware vendors aren't likely to be as concious, at least until this incident, of the need to maintain proper security around their singing keys, nor are there requirements enforcing such security. In comparison keys used for financial transactions are generally held in HSMs with strong access controls around them to prevent the revealing of the private key. This particular rootkit was specifically confined to SCADA so the impact was always going to be small, but the malware could've easily been targetted to attack general windows installs .. who knows how much damage it could've caused then?
Luckily this specific certificate was going to expire soon so there was probably less resistance from the vendor in revoking it than there might've been, but if such revokation was going to invalidate significant numbers of drivers then that would've posed the problem of either leaving the certificate valid to be used for other types of malware or revoking it and invalidating however many drivers had already been signed by that key. Unfortunately it's not very likely that hardware manufacturers will ever submit to using HSM-type devices or the processes necessary to ensure key secrecy, so it looks like this will just have to be yet another potential attack vector that's caused by vendor negligence.
Re: (Score:2)
Damn those karaoke bars streaming live to the net!
Re: (Score:2)
Can't Microsoft remove the certificate from Windows through a patch? Then they could say "secure your signing certs or we'll delete your certs from Windows and you'll have a shitstorm of angry clients who can't use your drivers to deal with".
Re: (Score:1)
Certificates don't work like that.
Micorosft runs a Certificate Authority. This has a public and private key. The public key is part of a Windows install. They use the private key is kept safely somewhere at MS, and used to sign certificates for other companies like Realtek.
Then at install time, there is a check: this driver is signed by the Realtek key, which itself is signed by the Microsoft key. Therefore it's trusted, and it's okay to install.
For revocation, MS will public a revocation list somewhere, wh
Re: (Score:2)
Right, I was thinking about something closer to browsers, which include a large list of CA Certs, but you can remove on of them and then all the certs signed by that CA would not be trusted.
I thought Windows included a large number of HW manufacturers' certs, not a single "Microsoft cert" with which HW certs were signed against.
Re: (Score:3, Insightful)
Fine then, the question is why doesn't MS REVOKE the Realtek cert?
The USEFUL answer is that they did.
Re: (Score:2)
Yes, the drivers would stop working, which would bring the shitstorm against the HW manufacturer. That was my point.
But according to your "sibling" post Windows HW certs don't work like that, so there's nothing Microsoft can do.
Re: (Score:2)
Re: (Score:2)
e.g. Did Realtek screw up on the cert handling or the components were actually made by realtek but were flexible enough to be abused by hackers?
Re: (Score:2)
Its incredible that MS doesnt force a UAC check on signed drivers install. That's really the fix, not this patch. These companies will never be able to properly secure their keys. Its time we started admitting that the trust in signed code is forever broken.
Is copy-and-pasting"writing"? (Score:4, Insightful)
what is this .lnk flaw anyway? (Score:5, Funny)
I still haven't understood what this .lnk flaw actually is, or what fun things it might be used for (and how).
The previous discussion about this talked about SCADA systems, so I read the wikipedia article about SCADA but still don't quite get what it really is. And the vulnerability seemed to only be exploited on one particularly stupid system which used a hard-coded password.
And it seemed to also require the use of Autorun/Autoplay which should obviously be disabled anyway. I have 2 files to take care of that on all my USB drives:
Autorun.inf:
[AutoRun]
open=autorun.cmd
shell\open\Command=autorun.cmd
shell\explore\Command=autorun.cmd
And autorun.cmd:
@ECHO OFF
ECHO ALERT: You have autorun enabled on this drive (%~d0)!
ECHO.
ECHO Trying to disable it:
@ECHO ON
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun" /ve /t REG_DWORD /d 255 /f /ve /d "@SYS:Autorun-Disabled" /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
@ECHO OFF
ECHO.
ECHO You may need to reboot.
ECHO.
@pause
Re: (Score:2)
the side effect of turning off autorun [...] might not be desirable (e.g., if it's someone else's machine)
For me, it is the desired side-effect, because these people will usually call me for help when they get a virus. I do tell them that I disabled it though, and try to explain why if they seem willing to listen.
Also, if a worm blindly writes it's own autorun.inf file, then your modified one will get overwritten. Make sure you at least write-protect the file.
The files do have the read-only attribute.
autorun correctly disabled [us-cert.gov]
One of my 2 reg entries is actually what is recommended in your link.
What I don't know yet is if it works on Win7 or if something else is needed. I'm not so much into fixing Windows any more, since I switched to Ubuntu. There's enough to do to try to fix/custom
It is MS to do it (Score:2)
Your fix doesn't matter as 99% of people out there will wonder around with autorun enabled.
MS have to copy Apple's way of doing things. How long it took for Apple to fix the "startup items" flaw? They changed the scheme of doing things, did couple of permission tricks and prompted user with a complete non nerd window saying "Wrong permissions in Startup Items" like thing, with 2 options "fix" "don't fix", "fix" selected by default.
Or, they figured Input Manager functionality which allows running from user's
Re: (Score:2, Interesting)
From what I've understood, it is a buffer overflow in the way .lnk are handled that has been exploited.
It doesn't require autorun, just the reading of the .lnk (which happens when you're displaying the .lnk in the explorer)
The flaw has been discovered from Stuxnet, a virus that happens to target specific systems, but is in no way limited to these systems.
By the way, does anyone know if it is possible to put a noexec on USB keys like you can on unices ? Although it wouldn't help about this flaw, it is usuall
Re:what is this .lnk flaw anyway? (Score:5, Informative)
Re: (Score:1, Informative)
Please mod this down, the bug in the lnk handling does in no way require autorun, just browsing the folder will do. This btw also works with webdav shares (have fun ie users).
Re: (Score:1, Informative)
Than please do not comment upon it that way. And no, it does not need Autorun/Autoplay.
Just getting the shortcut displayed in your file-browser window is enough to trigger the "exploit". And as most installations are "helpfull" enough to open the root-folder of the removable media you put into the machine that "looking at" is fully automated.
Even if not, simply clicking on the USB-sticks
Re: (Score:2)
SCADA systems are the type of things that control nuclear reactors, power generation, power distribution, water distribution, and many more.
For this reason the Siemens attack used a USB method, as typically SCADA systems are either heavily firewalled and/or air-gapped. Sneaker-net should be the only way to get into those networks when done right, and even then sneaker-net methods should be very restricted.
Siemens HMI/SCADA [siemens.com].
Re: (Score:2)
Thanks for the detailed explanations. I got it at last.
The really interesting bit (Score:5, Insightful)
Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer.
How do you suppose the crackers got a hold of Realtek's digital certificate? Seems to imply a level of sophistication that goes beyond most virus writers, many of whom are industry professionals these days. A government-backed organization maybe or well-funded industrial espionage.
Behold the true face of cyberwar!
Re:The really interesting bit (Score:4, Insightful)
Re: (Score:3, Insightful)
Re: (Score:1, Insightful)
Virus authors aren't script kiddies anymore. They're trained software engineers. Remember Conficker? It had an implementation of MD6 only a few weeks after the specifications were release(It even contained a buffer overflow which was a fault in the specifications). However, to get a digital certificate signed, I'm guessing some bribery was in order. I'm guessing spam pays a lot these day, when it's done right.
Re: (Score:2)
How do you suppose the crackers got a hold of Realtek's digital certificate?
My best speculation on that is an actual hacker (or hacker group) managed to extract the private key through nefarious means, possibly via a botnet-controlled or similarly zombified computer inside realtek, and then it was sold on the underground malware market.
It's very unlikely the makers of Stuxnet were actually the ones that stole the key in the first place. Does make one wonder how much such a key would go for? I would expect
Windows 2000 users (Score:5, Informative)
A friendly warning to all Windows 2000 users out there, your OSs will remain vulnerable (unless you have a private agreement with MS).
Support for you ended two weeks ago.
http://support.microsoft.com/lifecycle/?LN=en-us&x=17&y=3&p1=3071 [microsoft.com]
Win2K users not running AV? (Score:1, Offtopic)
As a person in TV industry, I can really relate to "people still running windwos 2000" but, trust me, it is absolutely suicidalif one doesn't run a commercial quality AV actually doing heuristics like Kaspersky or F-Secure.
I am not a shareholder in these companies of course, it is just that they are running way deeper security checks and actually watching what really happens on the OS. People blame them for being heavier than "freeware av" for that reason.
If you can live with pro-active way of doing things,
Re: (Score:3, Insightful)
This is especially important to anyone actually using the SCADA software this virus attacks. Some versions of WinCC are incompatible with XP (as in "only certified to run on windows 2000" i'm sure nothing technical prevents running in XP). So actually quite a large portion of the target group remains unpatched.
Re: (Score:2)
This attack can only use the credentials of the logged in user. Running as limited user limits its ability to do anything outside of your profile. That and basic AV means Win2000 is usable for a long time in the future.
Re: (Score:2)
Is the free version of the latest Avast AV enough for updated Windows 2000 SP4 users?
Thank %DIETY% (Score:2)
The real flaw on 3 different OS won't be fixed (Score:4, Insightful)
For some reason, MS will shy away from mandadory CRL/OCSP checks. Bandwidth issues for 1 kb traffic?
Realtek drivers, as they are software/hardware hybrid (more like softmodem) with unneccesarry junk like an extra control panel weights around 40 MB. Everyone knows it since we have to deal with their aspx powered weirdo site when vendors, including Apple Inc. installs old version of drivers. What kind of harm would Windows do asking certificate vendor (Verisign in this case) if the certificate is real?
This is also a mistake by Apple too, they don't enable ocsp, at least to "best attempt" in fresh OS X install. You gotta do it in keychain utility preferences. Sad that, on OS X way of doing things, that would mean an instant security boost since native OS X apps uses the same framework for SSL comms.
Funny is, this is also a problem on Symbian which doesn't rely on "app store". For example, on Nokia E71, one must live a complete usability hell if he/she enables "online certificate revocation check". They just couldn't fix the freaking UI and disabled online certificate check for signed symbian apps. So what happens if some dumb shareware vendor loses their certificate or they actually freely sign malware? You install AV. All this for saving (!) 1 KB of traffic.
So, even if Verisign revokes it (or hurries, whatever), it won't have any effect until MS/Apple/Symbian (don't know others) wake up and enable certificate revocation checks by default in these days even your heater is connected to the internet.
The real problem is who to trust... (Score:2)
They can revoke keys but then there is a new problem:
-What if the system becomes unusable without a certain driver ( maybe even because the rootkit kills the system deliberate in that case). Who is responisble.
-If the user gets prompted, what are his options? (e.g. in the simple case his system clock is wrong, but the error message is not clear).
-What if revoking disables the sound of 66% of the windows machines and ONLY disable 0,001% the rootkit (but not even the actual virus).
If you think this over, you
"have been exploiting for several weeks now..." (Score:1)
Re: (Score:3, Informative)
because for various reasons (some that are even good), Microsoft only normally release patches once a month. When they can't wait, they call it an emergency fix. Simple enough?
LNK is an Open Specification (Score:4, Interesting)
http://msdn.microsoft.com/en-us/library/dd871305(PROT.13).aspx [microsoft.com]
~ king
Re: (Score:1, Interesting)
How does that do us any good though? It's not like Microsoft's implementation can be easily replaced is it? Do they use a well documented stand alone library for working with .lnk files? One that I could just plug in an alternate implementation of by exporting the same symbols? Probably not. Its probably lumped in with hundreds of other unrelated functions in some binary that can't be replaced without a significant amount of reverse engineering.
In the end you're still at Microsoft's mercy. Hope their
Windows XP SP2 will not be patched (Score:1, Informative)
SP2 support ended earlier this month. You know what that means. No patch unless you have a custom support contract. Hasta la vista.
Re: (Score:2)
Re: (Score:2)
Not everyone can upgrade though like IT, weird software issues, etc. Oh well, their losses. :)
While they are at it (Score:2)
Re: (Score:2)
I could see putting off migrating to Vista/Seven... But not installing a service pack?, that's just dumb...