HighProventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This event triggers when a Microsoft shortcut file contains a specially crafted ICON section which references a UNC (Universal Naming Convention) path.
These types of files should typically not be seen traversing your network, with the possible exception of those being detected via the SMB/CIFS protocol.
The nature of these files enables them to access resources which may be outside of your control, thus enabling a remote code execution attack on your systems when the ICON is rendered by Microsoft Windows.
Proventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: Not all LNK files containing paths to remote systems result in malicious, remote code execution.
Proventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: This event will not trigger when the file being accessed is local, such as the 'C:' filesystem.
High
Proventia Network IPS: XPU 30.080, Proventia Desktop: 2550, RealSecure Server Sensor: XPU 30.080, RealSecure Network: XPU 30.080, Proventia Network IDS: XPU 30.080, Proventia-G 1.1 and earlier: XPU 30.080, Proventia Network MFS: XPU 30.080, IBM Security Server Protection for Windows: 2.1.14.2550, Proventia Server IPS for Linux technology: 30.080, Virtual Server Protection for Vmware: XPU 30.080
Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows 7: x64, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, Microsoft Windows Server 2008: R2 Itanium, Microsoft Windows Server 2008: SP2 Itanium
Unauthorized Access Attempt
Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by the improper validation of specific parameters of shortcuts (.lnk or .pif) by the Windows Shell component when displaying the icon of a shortcut file. By persuading a victim to attach a USB drive or CD-ROM with a malicious shortcut file or browse to the root folder of the device using Windows Explorer or a similar file manager, a remote attacker could exploit this vulnerability using a specially-crafted .LNK or .PIF shortcut file to automatically execute specified code with the privileges of the victim.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Krebs on Security Web site
Experts Warn of New Windows Shortcut Flaw
http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/
Microsoft Web Site
Microsoft Windows
http://www.microsoft.com/windows/default.aspx
Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/2286198.mspx
Offensive Security Exploit Database [07-18-2010]
Microsoft Windows Automatic LNK Shortcut File Code Execution
http://www.exploit-db.com/exploits/14403/
Microsoft Security Bulletin MS10-046
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)
http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx
Microsoft Security Bulletin MS11-006
Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185)
http://www.microsoft.com/technet/security/bulletin/ms11-006.mspx
ISS X-Force
Microsoft Windows .lnk file code execution
http://www.iss.net/security_center/static/60422.php
CVE
CVE-2010-2568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568