Thursday, 22 July 2010

Microsoft Security Advisory (2286198) - Vulnerability in Windows Shell Could Allow Remote Code Execution

The Windows shortcut vulnerability is generating a lot of interest in the blogosphere, and rightly so. Described in more detail here, attackers can place a malformed shortcut to a malicious executable that will automatically run when the folder is viewed in IE or Windows Explorer. The shortcut and binary can be placed locally, on a USB drive for instance, or hosted on a web server.

Microsoft notes in its advisory, as is often the case, that use of least privilege security can reduce the severity of a successful attack:

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

While Microsoft doesn’t specifically mention it in the security advisory, it’s also possible that having a whitelist of allowed applications, enforced using Software Restriction Policy or AppLocker, will reduce the likelihood of a successful attack.

No comments: