Home

Microsoft Windows Shell Could Allow Remote Code Execution

Notification Type:	IBM Internet Security Systems Protection Alert
Notification Date:	July 23, 2010
Notification Version:	1.3

Name:	Microsoft Windows Shell Could Allow Remote Code Execution
Public disclosure/ In the wild date:	July 23, 2010
Aliases:	MS10-046
CVE:	CVE-2010-2568
Description:	A vulnerability in Microsoft Windows exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed..

ISS Coverage

Product	Content Version
Proventia Network IDS Proventia Network IPS Proventia MFS Proventia Server (Linux) RealSecure Network RealSecure Server Sensor Virtual Server Protection for VMware	30.071 30.080
Proventia Desktop Proventia Server IPS (Windows)	2545 2550

Propagation Techniques	ISS Protection	Available
remote exploit	HTTP_FileTypeLnk FTP_FName_Lnk Email_Executable_Extension HTTP_Lnk_File_Accessed Email_Lnk_File_Attachment FTP_Lnk_File_Accessed LNK_File_Detected SMB_Lnk_File_Accessed LNK_MsWin_Code_Execution	Pre-Proventia Software 01 Jul 2001 13 Dec 2002 29 Jul 2010 10 Aug 2010

Detailed Description

Business Impact:	This vulnerability is present in the majority of supported versions of Microsoft Windows. Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by the improper validation of specific parameters of shortcuts (.lnk or .pif) by the Windows Shell component when attempting to load the icon of a shortcut.
*CVSS:	Base Score:		9.3
		Access Vector:	Network
		Access Complexity:	Medium
		Authentication:	None
		Confidentiality Impact:	Complete
		Integrity Impact:	Complete
		Availability Impact:	Complete

	Adjusted Temporal Score:		8.4
		Exploitability:	Functional
		Remediation Level:	Work around
		Report Confidence:	Confirmed
Affected Products:	For a full list of affected versions, see references below.
Technical Description:	By persuading a victim to attach a USB drive or CD-ROM with a malicious shortcut file or browse to the root folder of the device using Windows Explorer or a similar file manager, a remote attacker could exploit this vulnerability using a specially-crafted .LNK or .PIF shortcut file to automatically execute specified code with the privileges of the victim.
Remediation:	Patch is available from Microsoft, see references below for more information. New Signature published in XPU 30.080: 2286198 - LNK_MsWin_Code_Execution (attack - will not have blocking enabled) New signatures published in XPU 30.071: 2110223 - HTTP_Lnk_File_Accessed (attack - will not have blocking enabled) 2110224 - Email_Lnk_File_Attachment (attack- will not have blocking enabled) 2110225 - FTP_Lnk_File_Accessed (attack- will not have blocking enabled) 3110037 - LNK_File_Detected (audit) 3110038 - SMB_Lnk_File_Accessed (audit) All of these are audit/anomaly type signatures and are not necessarily indicative of attack. However, if enabled, they will detect attacks. Blocking is NOT enabled by default on any of the existing signatures due to the high risk of false alarms. Signatures published in XPU 30.071 are monitoring transfers of shortcut files through these listed protocols. Early signatures published and announced: IBM Security has three signatures that will detect .LNK files traversing the network. (1) HTTP_FileTypeLnk (IssueID: 2002546) * This signature detects .LNK files passing over the HTTP (including WebDAV) protocol. (2) FTP_FName_Lnk (IssueID: 2003609) * This signature detects the FTP transfer of a .LNK file. (3) Email_Executable_Extension (IssueID: 2120020) * This signature blocks on the presence of LNK extensions. This has blocking by default. The first (2) signatures do not block by default, as this type of activity is not necessarily malicious. However, it is relatively uncommon for .LNK files to be transferred over the network - and if you see them being transferred it's important to investigate. IBM X-Force suggests that customers who are concerned with the vulnerability described in CVE-2010-2568 enable blocking for those signatures until a vendor supplied patch is available. IBM X-Force will continue to actively research this vulnerability and monitor the Internet for potential attack activity. We will update this alert for our customers as more information becomes apparent.

References

XFDB:	http://xforce.iss.net/xforce/xfdb/60422
Microsoft:	http://www.microsoft.com/technet/security/advisory/2286198.mspx
Microsoft Knowledge Base Article:	http://support.microsoft.com/kb/2286198
Microsoft Bulletin:	http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx

Revision History

1.0	Initial publication.
1.1	Updated Email_Executable_Extension signature and added User Defined-OpenSignature instructions.
1.2	Release of XPU 30.071 which provides 5 new signatures and revision of detailed notes.
1.3	Release of XPU 30.080 which provides 1 new signature, revision of detailed notes with MSFT bulletin.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Internet Security Systems

IBM Internet Security Systems is a trusted security advisor to thousands of the world's leading businesses and governments, helping to provide pre-emptive protection for networks, desktops and servers. The IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shield customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team an unequivocal world authority in vulnerability and threat research. The IBM Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the IBM Internet Security Systems Web site at www.iss.net or call 800-776-2362.