| Author |
Topic: Fix It tool for Windows Lnkfile vulnerability. Patch to come |
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 21 Jul 2010 1:12 pm |
|
Microsoft has posted and advisory containing a temporary Fix It tool (and undo tool) to protect Windows PCs from a new zero day exploit in the wild, in desktop shortcut icons and the WebDav Client Service. The vulnerability exists in all versions of Windows from Windows 2000 to Windows 7, including all server versions from 2000 to present. That is a lot of vulnerable machines.
Microsoft will be releasing an out of band patch soon, which will alter the default behavior that is currently being exploited in shortcut icons. In the meantime, you can use the Fit It tool above to stop shortcut icons from displaying. This leaves a blank icon for your desktop shortcuts. It is ugly, but negates one half of the attack vector.
The other half of this exploit is targeting the Windows WebDav Service. To protect your PCs from this attack vector, stop and disable the "WebClient Service." Go to Start > Run (Windows key and R), type in SERVICES.MSC and press enter. Scroll down the list of services to WebClient; right-click on it and select Properties. Change the Startup type to Disabled. If the service is running, click Stop. Click OK and exit the management application.
Note. If you are running any applications that require the WebClient and WebDav Services, they will fail if the Service is disabled. For example, WebDAV shares will be inaccessible from the client computer.
These attacks are being spread by multiple means, including factory infected USB devices. The displaying of icons is being used to launch hostile binary files in hidden folders on those devices. A rootkit is involved.
I will alert you when the out-of-band patch is released. At that time you will want to install the patch, then reboot, then undo the Fit It by running the Undo Tool. I recommend downloading both tools and saving them. Use the one now and the other after patching your Icon behavior.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Mitch Drumm
From:
Frostbite Falls, hard by Veronica Lake
|
Posted 21 Jul 2010 2:05 pm
|
|
Wiz:
I just checked and find that Web Client Services is not running on my PC and is set to manual.
For all I know, it has never been started.
Exactly when might that service be needed?
Is there any reason it might be needed on a standalone PC not on any network other than the Internet?
I'm not one to try to shut down as many services as possible, but I'm willing on this one if I'll never need it. |
|
|
|
Jack Stoner
From:
Kansas City, MO
|
|
|
|
Ray Minich
From:
Bradford, Pa. Frozen Tundra
|
Posted 21 Jul 2010 3:59 pm
|
|
| Quote: |
| factory infected USB devices |
Oh, great... 
How do you know if you're system is infected already?
Thanx.
Update: no mrxnet.sys or mrxcls.sys files on my PC. Got WebClient turned of in time... yeah!
_________________
Lawyers are done: Emmons SD-10, 3 Dekleys including a D10, NV400, and lots of effects units to cover my clams... |
|
|
|
