Microsoft Security Advisory (2286198): Vulnerability in Windows Shell Could Allow Remote Code Execution

Vulnerability in Windows Shell Could Allow Remote Code Execution
Published: July 16, 2010
Version: 1.0
General Information Executive Summary
Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.
The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers.

Source: http://www.microsoft.com/technet/security/advisory/2286198.mspx

1 reply
  1. Kellep Charles
    Kellep Charles says:

    It seems anti-virus tools’ ability to detect generic versions of the exploit have not been very effective so far. Microsoft and SANS have issued some workarounds listed below:

    • Disable the displaying of icons for shortcuts. This involves deleting a value from the registry, and is not the easiest thing to do in some enterprise settings. Group Policy-friendly options include the use of Registry Client-Side Extensions, the regini.exe utility and the creation of a custom .adm file: see Distributing Registry Changes for details.
    • Disable the WebClient service. This will break WebDAV and any services that depend on it.

    • Disable auto-run of USB key contents. This would address one of the exploit vectors. For instructions, see Microsoft KB967715.
    • Lock down SMB shares in the enterprise, limiting who has the ability to write to the shares.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply to Kellep Charles Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.