On July 16 security researchers discovers a new exploit in Microsoft's Windows Operating.  This exploit is currently in the wild and affects all versions of Windows.  Microsoft has not released a patch for the vulnerability and may not have one ready for next second Tuesday patch release.  Vulnerability exists in the Windows Shell that very like allows an attacker to remotely execute code.  The initial attack vector was via USB devices, but researchers are now pointing to examples that are in the wild of execution of the vulnerability via network shares and favicons (the small graphics file that is located in your browsers address bar).  Microsoft has posted information on a work around that will disable the shell code, but the work around will also cause all of your desktop icons to disappear (not the best option).   The security firm Sophos has created a third party software patch that will fix the issue for .LNK files.  These are generally shortcuts that are created in Windows.  This third party patch does not protect against the vulnerability of PIF files.

Afftected Operating System

• Windows 2000
• Windows XP
• Windows XP Service Pack 1
• Windows XP Service Pack 2
• Windows XP x64 Service Pack 2
• Windows XP Service Pack 3
• Windows XP x64 Service Pack 3
• Windows 7 (All versions)
• Window Server 2003 32bit and 64bit
• Window Server 2003 Service Pack 2 32bit and 64bit
• Windows Server 2008 (All versions)

Links

• Microsoft Security Advisory http://www.microsoft.com/technet/security/advisory/2286198.mspx
• SANs.org Storm Center http://isc.sans.edu/diary.html?storyid=9268
• Sophos Free Tool http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html
• Sophos Threat Infromation http://www.sophos.com/security/threat-spotlight/index.html#threat1
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568
• Symantech Security Response http://www.symantec.com/security_response/writeup.jsp?docid=2010-071810-1516-99

Update on Friday, July 30, 2010 at 6:13PM by Craig N.

This afternoon Microsoft announced that it will be releasing an out-of-band patch for this
vulnerability.

Link

• http://blogs.technet.com/b/mmpc/archive/2010/07/30/stuxnet-malicious-lnks-and-then-there-was-sality.aspx

Update on Sunday, August 8, 2010 at 7:22AM by Craig N.

I just confirmed that Microsoft is not deploying this patching to anything prior to Service Pack 3 for Windows XP.  I manage several systems and have noticed that none of those that are still running Windows XP SP 2 have installed the patch.  All systems which I currently manage utilize Microsoft's Windows Server Update Services (WSUS).  This is how I can confirm that the patch of the .LNK vulnerability is not deploying to anything prior to Windows XP SP 3.

Supported Operating Systems

• Windows XP SP 3
• Windows 7 (32bit and x64)
• Windows Server 2003 SP 2
• Windows Server 2008
• Windows Server 2008r2

Links

• Microsoft Security Bulletin http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx