Rootkit.TmpHider

Surfright just posted they have a fix to protect against LNK vulnerability.

https://www.wilderssecurity.com/showpost.php?p=1719630&postcount=1928

 

*

@syk69

Thanks for the info From what i've read it only appears to be partially successful but still useful.

 

Few more related informations and with some latest followups. http://blog.emsisoft.com/2010/07/28/windows7isnotsafe/ , and any latest development is on watch.

 

Hitman Pro have also updated some information ... Their updated version (Beta) provides a rock solid protection against .LNK vulnerability..

Here is the more information on it:- http://www.surfright.nl/en/support/fix-2286198

 

Microsoft LNK vulnerability fix from Microsoft coming on August 2
(Already mentioned at https://www.wilderssecurity.com/showthread.php?t=278390)

 

@AvinashR Hitman Pro

Another 2 cases reported

@MrBrian Also,

 

This Sality.AT nukes a bunch of popular home user defenses, no wonder they did that

 

@ fsr

Hi, your link doesn't work ?

 

How Hitman Pro LNK Exploit Protection works

We have just posted on our blog the inner workings on how Hitman Pro LNK Exploit Protection works:
http://hitmanpro.wordpress.com

 

Re: How Hitman Pro LNK Exploit Protection works

And I can assure it does work actually That's one of two methods I used in my SafeLink patch

 

Looks like within 48 hours it won't matter. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=226500004&cid=RSSfeed_IWK_News

 

Ahem? What about the millions who still run "older" Windows 2000 or Windows XP (pre-SP3) for instance ?

Microsoft in their usual hypocritical ways said theiy're oh! so concerned about the effect of this stupid flaw on the, quote, internet ecosystem, unquote !

If there was a grain of truth in such statements, then they would release exceptional patches for Win 2k and XP. It wouldn't really cost them much more work, as ALL windows systems have had the same blunder made in shell32.dll. They could apply the exact same correction to the sources and recompile the lot in one batch...


What they are really concerned about however is their fat, uh, wallets. Disgusting pigs! How can anybody dare defend them is beyond me.

--
Czerno

 

Wireless angle to the .lnk exploit

I know the fix is imminent, but just for the record, here's a patch i wasn't aware of before.

SALITY

 

The fix is out now. Run Windows Update.

 

Unfortunately, his patcher/relacer combo is fragile at best. Tried it on my Windows SP4 (French), it faulted :-(

What we need is MS releasing the fix for newly unsupported versions of Windows, like they did in 2001 on a similar occasion. After all, they care for the "internet ecosystem" don't they ? And this mess is entirely their blunder/fault isn't it ?

In addition I'm certain (you just have to examine the inf files in the official update) MS has compiled the revised shell32.dll for "unsupported" systems, only they must be reserving them for entreprise customers paying big$$$ support contracts. Can't they be pressured to release the fix for free either through Windows update or as a standalone ?

--
Czerno

 

Re RED

Do they mean pre the latest official patch, or even with it ? If it's the latter

*

Oh dear, at least the official fix is out now, though i've read even that has messed up some people comps

Interesting, so they can do it, if they want to !

 

I wrote a little article on our blog about LNK exploit protection on Windows 2000, XP RTM, SP1 and SP2:
http://hitmanpro.wordpress.com/2010...otection-for-windows-2000-xp-rtm-sp1-and-sp2/

 

It's with the official MS update applied. Yes, not good, MS doed it once again. There'll still be fellows to excuse/defend Microsoft, like drug addicts defend their dealers, I fear.

 

Read on

 

Now it's the user's fault, is it ? What of a mitigation/excuse is that ? ANY web page including the one you are now displaying, any FTP, WebDAV etc, site, any local folder or remote share which you open in Explorer (or similar file browser) could contain a malicious link or pif which will lead to code execution of code on affected (unpatched or unpatchable) systems. Safe usability of older unpatched systems is therefore almost reduced to nil. By refusing to patch older systems (still XP SP2 has a 15% usage share according to some stats!), MS is clearly putting users at risk. Could they be sued/forced into preventing/repairing the damage they are making possible ? -IANAL-

 

Thanks, that's what i feared. Looks like it's a "feature" not a bug And will remain on ALL versions of OS's

@ fsr

Thanks for the link

*

Here's an idea

But please see my RED info and the corresponding info/links by Czerno and fsr

 

This thread is starting to get out of hand with the silliness... There is a patch out. It fixes the vulnerability. Patch your system, and you're set. If you're using an unsupported version of Windows, update to a supported version. End of trouble.

What's there to about? Let's stop and think for a moment. LNK files are shortcuts that point to executables. If a user opens - that's to say double-clicks, for example - a malicious LNK file, the computer may be infected because the user just executed whatever malicious file the LNK points to. Nothing strange about that. That's how LNK files are intended to work: you click on them, and then some program that the LNK file points to is executed. Anything else would make LNK files utterly useless. If the LNK points to a malicious program, and you click on the LNK, then the malicious program obviously runs. The actual LNK vulnerability discussed in this thread is a different situation: even if you don't click on a LNK, code gets executed when Windows tries to load the icon for the LNK file. That vulnerability should now be fixed.

This aside, the Siemens link reads like non-sense, with odd claims like "Power user don´t have the necessary rights in order to start code from another drive."

Well, to be fair, the only cases of this patch messing up comps that I've heard of are cases where security software like ESET's AV screwed up the system as this patch was installed. I haven't seen anyone who didn't have stuff like that installed have any trouble with the patch.

Obviously they can do it, if they want to. They made the entire OS. They can surely make a few changes to a single component of said OS. Thing is, they're not making those changes for unsupported versions. If you want the patch, install SP3. SP3 will not cause you any harm, unless your hardware and/or software positively sucks and is unsupported for up-to-date versions of XP.

It's not MS putting the SP2 users at risk. It's the SP2 users putting themselves at risk, by stubbornly refusing to update to newer and still completely free-of-charge versions of their software that would fix the issue and remove the risk. Software is not supported for eternity - that's quite clearly stated everywhere. If you want fixes, you update to the supported versions. Anything else would make the entire software business mostly impossible.

As for any chance of lawsuit against MS on this subject, my forecast is no sane judge or jury would ever punish Microsoft for no longer supporting a service pack originally released in 2004, especially because a supported service pack is available for free. It's ok to hate MS, but it's not ok to be irrational.


I could go on, but it wouldn't do much good.

 

For this and everything else you posted, thank you! This vulnerability is being made to appear as some cryptic, Babylonian black magic that conjures up spirits from the underworld

 

For XP SP2 users, according to http://nemesis.te-home.net/News/20100723_Patch_for_0day__LNK_file_handling_vulnerability_up.html:

 

Hello.

Glad to join the forum. After some efforts to register, finally succeded.

I would like to share my opinion and give my advice to:

Those who still run Windows SP2 Pro to upgrade to SP3. Just consider this:

List of fixes that are included in Windows XP Service Pack 3

Even there was a LNK volnurability patch for XP Service Pack 2 how about that endless list of fixes, let alone the earlier versions ? Is it worth while ?

Those who are going to use other LNK volnurability patches:

1. Those patches were only temporary and partial solution. They blocked some regular LNKs and did not block the dangerous LNKs from every possible location.

2. Those patches were not coordinated with the Windows Messages system which, for example, with the Hitman Pro LNK Exploit Protection, led to numerous error messages to pop up when openning Control Panel causing explorer.exe to freeze:



Microsoft LNK volnurability fix modifies not only Windows Shell but also Windows Messages System, actually, two files are modified:

C:\WINDOWS\system32\shell32.dll * Windows Shell Common Dll *
C:\WINDOWS\system32\spmsg.dll * Service Pack Messages *

After installing the Microsoft LNK volnurability fix the dangerous LNK file treatment is as follows:





Windows Shell is looking for the shortcut icon in the target file but expects it to be in the system32 folder, otherwise does nothing.