Update to the most recent Windows vunerability: I wrote about this earlier in the week and wanted to add some updates. This vulnerability, which exploits a flaw in the way .lnk (all those shortcut files in windows that point to a file in another location, including desktop and browser shortcuts) are displayed, originally targeted software that controls large power installations and manufacturing facilities and was spread via infected USB drives. As I suspected, this has become a much generalized attack vector. Here are some points worth noting:
– All versions of Windows from 2000 on are affected (and possibly even older versions)
– Windows 2000 and XP SP2 will not be patched – these are officially no longer supported by Microsoft. There are quite a few devices out there still using XP SP2 because of compatibility issues with SP3
– This vulnerability can also be be exploited via Windows Office documents, file shares, WebDAV (used in Sharepoint) and anything else that can accommodate embedded .lnk files
– There speculation that the favicons used on websites might also be able to exploit this vulnerability, according to Steve Gibson in this week’s episode of Security Now!
– There is no “fix” yet – Microsoft has a registry modification that is a “workaround”. It disables the rendering of all icons (that will change the look of your desktop!).
For all those Macintosh users out there who are feeling a little smug – don’t. If you are using Safari, here is something you should know. Both versions 4 and 5 have a feature enabled by default that could allow a malicious website to exploit the auto-fill feature of Safari to extract personal information from your address book. Fortunately, you can disable this feature. Thanks to Jay Holtslander for bringing this to our attention. Apple is reportedly working on a fix.
Dennis H in West Virginia, US
July 26, 2010