Today, Microsoft released a special out-of-band patch which repairs a single Remote Code Execution vulnerability in how Windows Shell processes .lnk files.
Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.
As always, eEye suggests that all users apply Out of Band Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's
Vulnerability Expert Forum hosted by the eEye Security Research Team.
For more information on patch precedence, see the eEye Versa Newsletter article
Patch Tuesday Prioritization for a Large Enterprise.
MS10-046 - Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)
http://www.microsoft.com/technet/security/Bulletin/MS10-046.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting validation of shortcut icon references.
- Shortcut Icon Loading Vulnerability - CVE-2010-2568
A remote code execution vulnerability exists in affected versions of Microsoft Windows. The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the operating system displays the icon of a malicious shortcut file. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. This update addresses a vulnerability previously discussed in Microsoft Security Advisory 2286198.
Analysis
A vulnerability exists in how Windows Shell processes LNK and PIF files. This could be exploited to give an attacker the ability to execute arbitrary remote code on a victim's system. To exploit this vulnerability, an attacker would need to attempt to convince a user to visit a malicious page controlled by the attacker. Alternative strategies have included exploiting the vulnerability through USB propagation. Stuxnet trojan used this technique successfully. The Windows shell would process a malicious icon embedded in a LNK/PIF file hosted on the site. This would exploit the vulnerability, giving the attacker privileges equal to the current user. If the user had Administrator privileges, the attacker would have gained complete control of the system.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Until this patch is rolled out, administrators should 1) disable LNK and PIF files from being downloaded, 2) Set the value of the default value in HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler and HKEY_CLASSES_ROOT\piffile\shellex\IconHandler to empty, 3) block the WebClient service from running on client machines, and 4) block outbound SMB connections for when machines connect to systems outside of the network.
The eEye Advantage
Assessment
eEye Digital Security's customers can update their Retina scanner to detect systems vulnerable to these latest issues and verify that this month's Microsoft patches are installed. Updated vulnerability audits are automatically available to eEye Retina vulnerability assessment customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/Resources/Security-Center/Patch-Tuesday/Audits/August-2010-OOB.aspx
Protection
eEye's line of security modules protect from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations. Current protection customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required.
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit
http://www.eeye.com/VEF.