9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.8%
Microsoft Windows automatically executes code specified in shortcut (LNK
and PIF
) files.
Microsoft Windows supports the use of shortcut or LNK
files. A LNK
file is a reference to a local file. A PIF
file is a shortcut to a MS-DOS application. Clicking on a LNK
or PIF
file has essentially the same outcome as clicking on the file that is specified as the shortcut target. For example, clicking a shortcut to calc.exe
will launch calc.exe
, and clicking a shortcut to readme.txt
will open readme.txt
with the associated application for handling text files.
Microsoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing dynamic icon functionality. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of a shortcut file, an attacker can specify a malicious DLL that is to be processed within the context of the Windows Control Panel, which will result in arbitrary code execution. The specified code may reside on a USB drive, local or remote filesystem, a CD-ROM, or other locations. Viewing the location of a shortcut file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive, such as a USB thumb drive, is connected. Other applications that display file icons can be used as an attack vector for this vulnerability as well. When used in conjunction with a WebDav resource, Internet Explorer can be used as an attack vector for this vulnerability. With the case of Internet Explorer, no user interaction beyond viewing a web page is required to trigger the vulnerability.
This vulnerability is being exploited in the wild to spread malware (stuxnet) that targets control systems. Exploit code for this vulnerability is publicly available.
By convincing a user to display a specially-crafted shortcut file, an attacker may be able to execute arbitrary code with the privileges of the user. Depending on the operating system and AutoRun/AutoPlay configuration, this can happen automatically by connecting a USB device. This vulnerability can also be triggered by viewing a web page with Internet Explorer or opening a document with Microsoft Office.
Apply an update
This issue is addressed in Microsoft Security Bulletin MS10-046. Also consider the following workarounds:
Disable the displaying of icons for shortcuts
According to Microsoft Security Advisory 2286198:
Note_ See Microsoft Knowledge Base Article 2286198 to use the automated Microsoft Fix it solution to enable or disable this workaround._
Note_ Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe._
_HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler_
_HKEY_CLASSES_ROOT\piffile\shellex\IconHandler_
Disable AutoRun
Disabling AutoRun can increase the amount of user interaction that is required to trigger this vulnerability. It will not block the vulnerability, however. Please see Microsoft Support article 967715 for more details. Setting the NoDriveTypeAutoRun
registry entry to 0xFF
should provide the highest amount of protection.
Use least privilege
Use “least privilege” approach to user accounts. By reducing the privileges of the user accounts, the impact of this and other vulnerabilties may be reduced. More information about this technique is available in the Microsoft TechNet article Applying the Principle of Least Privilege to User Accounts on Windows XP. Note that these concepts still apply to Windows Vista and newer operating systems.
Disable the WebClient service
According to Microsoft Security Advisory 2286198:
Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.
To disable the WebClient Service, follow these steps:
Block outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and 445/udp at your network perimeter. Doing so will help prevent machines on the local network from connecting to SMB servers on the internet. While this does not remove the vulnerability, it does block an attack vector for this vulnerability.
Use a web browser other than Internet Explorer
940193
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: July 15, 2010 Updated: August 02, 2010
Affected
We have not received a statement from the vendor.
This issue is addressed in Microsoft Security Bulletin MS10-046.
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was discovered by VirusBlokAda through its exploitation in the wild.
This document was written by Will Dormann.
CVE IDs: | CVE-2010-2568 |
---|---|
Severity Metric: | 72.90 Date Public: |
isc.sans.edu/diary.html?storyid=9190
krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/
secunia.com/advisories/40647/
support.automation.siemens.com/WW/view/en/43876783
support.microsoft.com/kb/2286198
support.microsoft.com/kb/967715
www.anti-virus.by/en/tempo.shtml
www.f-secure.com/weblog/archives/00001986.html
www.f-secure.com/weblog/archives/00001987.html
www.f-secure.com/weblog/archives/new_rootkit_en.pdf
www.microsoft.com/technet/security/advisory/2286198.mspx
www.microsoft.com/technet/security/bulletin/ms10-046.mspx
www.securityfocus.com/bid/41732