Security Watch

Microsoft Cures LNK Flaw with Early Patch

Plus: Microsoft, Adobe team up on flaw research; IE 8 privacy controls handling debated.

• By Jabulani Leffall
• 08/03/2010

Microsoft begins the week by issuing a "critical" out-of-band patch for a vulnerability that's in every supported operating system, including Windows XP, Windows Server 2003, Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. Microsoft issued a security advisory and work-around for the Windows Shell remote code execution bug in July.

Windows Shell is a key graphic interface component that uses .LNK files to create shortcut icons enabling quick access to program files. Earlier reports say in-the-wild exploits can be unknowingly triggered when users click on "specially crafted shortcut" icons located on a removable USB drive. It can also happen when a hacker purposely uploads the faulty code via a USB drive and waits for another user to come along and trigger the flaw that's now on an infected system.

With the normal Patch Tuesday scheduled for Aug. 10, Redmond was early on this one because it said the vulnerability is "currently being exploited in malware attacks."

"Remote attacks through e-mail or websites are theoretically possible, but require multiple steps and user interaction," adds Wolfgang Kandek, CTO of Qualys. "Nevertheless disabling SMB (Sever Message Block) SMB and WebDav (Web-based Distributed Authoring and Versioning) protocols in the outbound rule set of internet facing firewalls is a measure that provides additional protection against the remote attack vector."

Even with the issue of the off-cycle bulletin, there are two dark-horse factors to consider:

• Windows 2000 and XP SP2 users will not be covered with the patch despite the fact the the vulnerability has lasting effects on those systems and their users.
• Kandek and others contend that Microsoft's work-around in Advisory KB 2286198 has serious impact on the usability of the system, as desktop icons are all replaced by standard generic representations and navigation is hampered.

MS, Adobe Team Up on Vulnerability Research
In an initiative that moves two software giants even closer in their security efforts, Microsoft is hooking up with Adobe Systems to share exploit info. This announcement comes on the heels of formal collaborations that have been more than a year in the making.

More recently, the two companies shared Microsoft's sandbox security technology for use in Adobe Reader PDF software. Specifically, Redmond extended its Microsoft Active Protections Program to include vulnerability information sharing from Adobe. Mike Reavey, director of the Microsoft Security Response Center, said Redmond is offering MAPP benefits to Adobe because Microsoft has seen clear evidence of such initiatives having an impact in the advancement of customer protection.

Through the program, Adobe will be able to share its software vulnerability information with the 65 members of the MAPP organization.

Privacy for IE Users Stamped Out
A piece in Monday's The Wall Street Journal reports on a heated debate within the ranks of Microsoft to create privacy settings within Internet Explorer 8 to keep Web surfers from being tracked by advertisers. The article goes on to say that in the name of strategic aims, the prevailing voice within the executive suite was one that favored "quashing" the effort to boost privacy.

The move to install tracking files within IE and use cookies, browser session info, and search history to build consumer profiles grouped with IP addresses or licensed Windows users is nothing new. Neither is it necessarily a malicious undertaking, especially in the contentious battle for advertising dollars with Google.

Here's the catch-22: If advertisers can follow ID tags and user experience and preference data-packet-dossiers can be sold to third-parties, who's to say adware and spyware makers can't begin to collect tracking file information too?

As the article points out, IE still has a 60 percent market share on the browser market and plays a pivotal role in protecting user privacy.

While IE 8 is considered the most secure browser Microsoft ever released and while any savvy Web surfer knows how to deaden their digital trail by using Internet Options to clear their cache or reset their cookies, there's always third and fourth layers of sophistication in remote code execution that administrators must consider. Because if there's one certainty about Web security, it's that hackers often pave the road to intrusion with the good intentions of developers, vendors and users.