XYMer's Home away from Home

http://www.sophos.com/products/free-too ... -tool.html

Microsoft hasn't said when it'll get around to fixing this rather serious flaw related to .lnk files. The vulnerability can be triggered from a great many remote sources, including network shares and web pages, even with AutoRun and AutoPlay turned off. It is being actively exploited.

It was kind of the folks at Sophos to offer this free tool to protect against the Windows flaw.

- Anonymous

Hmm, I wonder if enabling the ability to see .lnk extensions helps protect against it.

It doesn't sound like it. In particular, it appears as if the lnk files can be coaxed in to doing their magic without any real user involvement, so seeing them wouldn't help much. Sophos also claims they can be triggered through a web site, somehow, but I haven't looked at the details of the vuln to figure out what's really happening. I don't do enough with Windows to care too much, and don't have quite enough spare time to bother chasing it down in the absence of a need to know. Still a little curious though...

- Anonymous

Yeah, it doesn't look like enabling the display of .lnk does anything worthwhile since they're exploiting a bug in a Microsoft-written IconHandler extension, which thanks to Microsoft's "layered" security model has lax security for local & lan connections (maybe someday they'll jettison that ridiculous concept and just implement a real security model).

The bug depends on making Windows Explorer read the infected file, which would implicate Internet Exploder and other Microsoft applications (Word, etc.) since Microsoft thinks it's absolutely wonderful to OLE Explorer, IE, Windows Media, etc. into everything they do, so a single exploit affects every app.

I would be mildly depressed if there was a way to trick Firefox into exploiting this bug, beyond simply downloading an infected file and then executing or (more likely) opening the folder containing the file (since if it's in IconHandler it's probably executed as part of displaying the icon). Simple, yes, but not having auto-execution takes place should limit or at least delay the destructive potential to some extent. Instead of loading the wrong banner ad and being automatically exploited, you can right click on the item in download manager and delete files w/o involving Explorer. Well, maybe. Unless Firefox involves Explorer for displaying the icon in the download window.

There is a rather nifty little free tool I found that lets you disable/enable any and all shell extensions (from IE to Explorer, since they're two sides of the same coin). It's called shexview. Though disabling the affected extension seems to be seriously noticeable, but at least disabling/enabling is easier than deleting/re-importing the registry key. I highly recommend playing around with shexview at least once though, since you can make borderline systems so much more livable by trimming away third party and other useless extensions (third parties looooooove to plug into this stuff).

“.Ink” file sounds like something used to tell if the printer is low on ink or something. Dunno if my PC has those, I rarely interface with it (it just sits there under full stream GPU load 24 x 7).

-he who stacks pork

Lowercase l not uppercase I. .L(i)NK.

Microsoft released a patch for this on Monday, 8 days before patch Tuesday. The press was clucking about how amazing that was.

Slow news day I guess.