Microsoft has released Security Advisory 2286198, which addresses a publicly reported vulnerability in Windows Shell. From the Security Advisory:
Quote"The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives."
If AutoPlay is disabled, particularly for USB devices, in order for the vulnerability to be exploited, it would be necessary to manually browse to the root folder of the removable disk. AutoPlay for removable disks is automatically disabled on Windows 7. In the event you have enabled AutoPlay, it is strongly advised that it be disabled.
To disable AutoPlay the prerequisites in Microsoft KB Article 967715 (http://support.microsoft.com/kb/967715) must first be installed. If your computer is up-to-date, they are already installed. The KB Article also includes instructions on "How to disable the Autorun functionality in Windows".
Note that it is additionally reported on the MSRC Blog that, "In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware". For more information on Stuxnet, see the MMPC blog post. Of further interest, as the MSRC Blog reports
Quote"signatures in up-to-date versions of Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform protect customers against the Stuxnet malware."
References:
- MMPC: The Stuxnet Sting (http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx)
- MSRC: Security Advisory 2286198 Released (http://blogs.technet.com/b/msrc/archive/2010/07/16/security-advisory-2286198-released.aspx)
- TechNet: Security Advisory 2286198 (http://www.microsoft.com/technet/security/advisory/2286198.mspx)
- How to disable the Autorun functionality in Windows (http://support.microsoft.com/kb/967715)
Microsoft updated Microsoft Security Advisory 2286198 to provide an automated "Fix It" solution to implement the workaround provided in the original Security Advisory release.
The Fix it disables .LNK and .PIF file functionality automatically on a computer that is running Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server R2.
Complete details about the Fix it solution to both enable the workaround and disable it after a security update has been released are available in Microsoft KB 2286198.
NOTE: Applying the Fix it will require a restart of the machine.
After a security update is released for this vulnerability, you can undo the changes made by the Fix it solution by using Microsoft Fix it 50487.
References:
* KB 2286198: Vulnerability in Windows Shell could allow remote code execution (http://support.microsoft.com/kb/2286198)
* MSRC Blog: Security Advisory 2286198 Updated (http://blogs.technet.com/b/msrc/archive/2010/07/20/security-advisory.aspx)
Sophos have released a free tool to mitigate the effects of this zero day exploit (I would hate to say it is a total cure).
Details of the tool may be found at this Sophos web page (http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html) which includes a link to the download
On Monday, August 2, Microsoft will release an Out of Band update addressing the vulnerability in Security Advisory 2286198. As indicated by Christopher Budd in the MSRC Blog:
Quote
"We are releasing the bulletin as we've completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers. Additionally, we're able to confirm that, in the past few days, we've seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out of band is the best thing to do to help protect our customers."
Details about the threat are available in the MMPC Blog.
MMPC Blog: Stuxnet, malicious .LNKs, ...and then there was Sality (http://blogs.technet.com/b/mmpc/archive/2010/07/30/stuxnet-malicious-lnks-and-then-there-was-sality.aspx)
MSRC Blog: Out of Band Release to address Microsoft Security Advisory 2286198 (http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx)
TechNet: Microsoft Security Bulletin Advance Notification for August 2010 (http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx)