Login to myLSU

CIO  |  IT Security & Policy  |  LONI  |  LOUIS  |  UIS  |  UNI  |  USS  |  MDAC  |  Moodle
IT Security & Policy
ITS  >  IT Security & Policy  >  Announcements
Critical Vulnerability in Windows Shell Could Allow Remote Code Execution

There is a reported vulnerability in Microsoft Windows that allows for code execution by simply viewing the location of a .LNK file with Windows Explorer or other file manager that can display icons.    This is because Windows fails to properly obtain icons for LNK files and automatically executes code that is specified in the specially-crafted shortcut file.  Viewing the location of a LNK file with Windows Explorer is sufficient to trigger the vulnerability.  An attacker will most likely exploit this vulnerability via infected USB thumb drive/hard drive.

There is currently no patch available from Microsoft and this vulnerability exists in **ALL** versions of Microsoft Windows (Windows XP, Server 2003, Vista, Server 2008, Windows 7, etc...).

 

Workarounds:

 

A)  Disable the displaying of icons for shortcuts:

1. Click Start, click Run, type Regedit in the Open box, and then click OK

2. Locate and then click the following registry key:

        HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler

3. Click the File menu and select Export

4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save

        Note: This will create a backup of this registry key in the My Documents folder by default.

5. Select the value (Default) on the right hand window in the Registry Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and  press Enter.

6. Restart explorer.exe or restart the computer.

 

B) Disable the WebClient service (if possible)

1. Start -> Run -> Services.msc

2. Right click on WebClient and select Properties

3. Change Startup type to Disabled.  If the service is running, click Stop.

4. Click OK and exit services.

 

C) Disable autorun

Disable autorun will increase the amount of user interaction that is required to trigger this vulnerability, but it does not block this vulnerability, however.

For more information on how to disable autorun, please visit this Microsoft article: http://support.microsoft.com/kb/967715

 

D) Use least privilege

Whenever possible, log in and run programs as normal user and not as an administrator to limit the impact of this and other vulnerabilities.

 

 

For more information, please visit:

http://www.microsoft.com/technet/security/advisory/2286198.mspx

http://www.kb.cert.org/vuls/id/940193

http://www.f-secure.com/weblog/archives/00001987.html

http://www.f-secure.com/weblog/archives/new_rootkit_en.pdf

 

 

We will keep you posted as to when a patch is available from Microsoft.

Thank you.

This announcement posted Monday, July 19, 2010

Information Technology Services

Louisiana State University

200 Frey Computing Services

Baton Rouge, LA 70803

Telephone: (225) 578-3700

Fax: (225) 578-6400

Send Comments or Questions about this site to the Webmaster
Copyright © 2013. All Rights Reserved. Official Web Page of Louisiana State University.