Super-Fast Linkfest Throw-down: Pt I

07/31/10: More updates posted at the bottom of this page regarding the .LNK vulnerability.

I had planned for a sleepy weekend.  You know, the kind to recharge your batteries after a crazy-insane work-week?

Yeah right.  Like that would come to pass….work responses required weekend dedication.  Bummer

So I offer only several rapid-fire posts to get the linkage unblocked.

Part I here continues with additional information I’ve saved on the Windows LNK exploit; building upon the my previous post: Windows zero-day exploit?: USB storage + .lnk file...

Unless something radical drops, this will probably be the last on this theme.  I’ve found it an interesting look into incident response, knowledge-sharing/growth, and a few more cool tools.

• (Windows) Shellshocked, Or Why Win32/Stuxnet Sux… -- ESET ThreatBlog (filed under perspective)
• It Wasn’t an Army -- ESET ThreatBlog (filed under perspective)
• Mitigating .LNK Exploitation With Ariad-- Didier Stevens (filed under cool tool/utility)
• Mitigating .LNK Exploitation With SRP-- Didier Stevens (filed under cool tool/utility)
• linkiconshim - Project Hosting on Google Code (filed under cool tool/utility)
• Novel New USB Attack | Optimal Security -- The Lumension Blog (filed under perspective)
• Code for Shortcut Zero-Day Exploit is Public - F-Secure Weblog : News from the Lab (filed under perspective)
• Shortcut mitigation and certificate revocation -- Chester Wisniewski’s Blog (filed under advice)
• Microsoft revised Security Advisory (2286198) Vulnerability in Windows Shell Could Allow Remote Code Execution – Donna’s SecurityFlash (filed under MS vulnerability clarifications)
• Preempting a Major Issue Due to the LNK Vulnerability - Raising Infocon to Yellow (filed under advice)
• siemens to scada users – don’t change that default password – yikes! – ParanoidProse - (filed under perspective)
• Tool Blunts Threat from Windows Shortcut Flaw — Krebs on Security (filed under perspective)
• Stuxnet Memory Analysis and IOC creation – M-unition Blog (filed under threat analysis)
• LNK Vulnerability: Embedded Shortcuts in Documents - F-Secure Weblog : News from the Lab (filed under new vector possibilities)
• Applied Fix It Solution 50486 (KB2286198) in Vista and Windows 7... – Donna’s SecurityFlash (filed under it worked for me) 
• Microsoft Security Advisory: Vulnerability in Windows Shell could allow remote code execution – Microsoft Support (filed under cool tool/utility)  Note:  links to MS “Fix it” one-click solution 50486 (to apply workaround) and 50487 (to remove workaround).  You also still have to manually disable the WebClient Service in Vista or Win7 to cover those bases as well; see Donna’s link above on that.
• Code signing certificates used in repeat attacks -- Tim Callan's SSL Blog - Online Security (filed under perspective)
• New Stuxnet-Related Malware Signed Using Certificate from JMicron - Points to a highly sophisticated industrial espionage operation – Softpedia (filed under perspective)
• VeriSign working to mitigate Stuxnet digital signature theft –The Tech Herald – Security (filed under perspective)
• Incorrect Information in MS09-014 -- Fortinet Security Blog (filed under perspective and analysis)
• Stuxnet: A Comprehensive FAQ -- Fortinet Security Blog (filed under maybe-I-should-have-titled-this-post-a-FAQ)
• Win32/Stuxnet: more news and resources -- ESET ThreatBlog (filed under I –wish-I –had-time-to-write-pithy-summaries-like-David)
• Microsoft LNK Attack and Defense -- Hurricane Labs Engineering Notes (filed under attack and defense analysis)
• Default Passwords and SCADA: Siemens Fails – /dev/null blog (filed under not-my-fault aka “the BP” defense)
• Exploiting MS “LNK” Vulnerability -- Information Technology Enthusiast (filed under attack and defense analysis)
• More malware exploiting Windows shortcut vulnerability -- Graham Cluley’s blog (filed under the-LNK-slick-grows)
• Protection for New Malware Families Using .LNK Vulnerability - Microsoft Malware Protection Center (filed under small-victories)

07/31/10: More updates

Out of band Microsoft update to fix the .LNK vulnerability exploit coming August 2, 2010.  Just be aware, no soup for XP-SP2 and W2K systems!

• Out of Band Release to address Microsoft Security Advisory 2286198 - The Microsoft Security Response Center (MSRC)
• Stuxnet, malicious .LNKs, ...and then there was Sality - Microsoft Malware Protection Center
• Microsoft to Issue Emergency Patch for Critical Windows Bug — Krebs on Security
• Microsoft issues out of band update for LNK - The Laws of Vulnerabilities

Saddle up!

--Claus V.