[funsec] Microsoft LNK exploit

Rob, grandpa of Ryan, Trevor, Devon & Hannah rMslade at shaw.ca
Tue Jul 20 18:21:11 CDT 2010


The recently discovered LNK exploit; using the way Microsoft parses link or 
shortcut icons for display in order to get something else executed; may be a 
tempest in a teapot.  It is technically sophisticated, but so far we don't appear to 
have seen it used widely.

Probably a good thing.

This exploit could be used in a wide variety of ways.  You can use it in removeable 
media, so that any time you shove a CD in a drive, or connect a USB stick/thumb 
drive (or any other USB device, for that matter) to a computer, it results in an 
infection or some malicious payload.

And remember that OLE stands for object *LINKING* and embedding.  Since it is 
trivially easy to embed a virus in any Windows OLE format data file, it should be 
just as easy to create malicious links in any such files.

Microsoft's own information on the issue ( 
http://www.microsoft.com/technet/security/advisory/2286198.mspx )  seems to 
indicate that there is a related, but separate, issue with Microsoft Office 
components, related to Web based activities.  (By the way, when accessing that 
site, the information about how to protect against the exploit is hidden under the 
"Workarounds" link, rather than being explicit on the page.)

Some of the potential effects are discussed by Randy Abrams at 
http://blog.eset.com/2010/07/19/it-wasn%E2%80%99t-an-army


======================  (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca     slade at victoria.tc.ca     rslade at computercrime.org
     He who praises everybody, praises nobody.      - Samuel Johnson
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade


More information about the funsec mailing list