When installing freeware - should we CHANGE the shortcut - see this Windows vulnerability
in [Freeware]
|
Prev: {Ron May} OT-An appropriate Monty Python skit
Next: The Pricelessware/ACF Satisfaction Survey - AMAZING FINAL RESULTS!!!!!!!
From: sharon on 3 Aug 2010 11:59 When installing freeware, should we change the default shortcut because of this Windows vulnerability (and others which may not be known to us yet)? http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx Executive Summary This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for all supported editions of Microsoft Windows. For more information, see the subsection, Affected and Non-Affected Software, in this section. The security update addresses the vulnerability by correcting validation of shortcut icon references. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information. This security update addresses the vulnerability first described in Microsoft Security Advisory 2286198.
From: VanguardLH on 3 Aug 2010 13:07 sharon wrote: > When installing freeware, should we change the default shortcut because of > this Windows vulnerability (and others which may not be known to us yet)? > > http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx > > Executive Summary > > This security update resolves a publicly disclosed vulnerability in Windows > Shell. The vulnerability could allow remote code execution if the icon of a > specially crafted shortcut is displayed. An attacker who successfully > exploited this vulnerability could gain the same user rights as the local > user. Users whose accounts are configured to have fewer user rights on the > system could be less impacted than users who operate with administrative > user rights. > > This security update is rated Critical for all supported editions of > Microsoft Windows. For more information, see the subsection, Affected and > Non-Affected Software, in this section. > > The security update addresses the vulnerability by correcting validation of > shortcut icon references. For more information about the vulnerability, see > the Frequently Asked Questions (FAQ) subsection for the specific > vulnerability entry under the next section, Vulnerability Information. > > This security update addresses the vulnerability first described in > Microsoft Security Advisory 2286198. "Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically." I take it you chose not to download and install the KB2286198 update yet that was offered today.
From: sharon on 4 Aug 2010 01:54 On Tue, 3 Aug 2010 12:07:22 -0500, VanguardLH wrote: > I take it you chose not to download and install the KB2286198 update I have automatic updates so I'm sure it installed. But the point was that shortcuts are a vulnerability (who knows what's the NEXT one reported). Since freeware is highly bugged - I just wondered if you were avoiding the program shortcuts.
From: VanguardLH on 4 Aug 2010 02:41
sharon wrote: > VanguardLH wrote: > >> I take it you chose not to download and install the KB2286198 update > > I have automatic updates so I'm sure it installed. But the point was that shortcuts are a vulnerability (who knows what's the > NEXT one reported). No, the command executed by the shortcut was NOT the vulnerability. It was the icon that might get assigned to the shortcut. Using a corrupted graphic file to utilize a buffer overrun vulnerability in the image rendering subsystem in Windows is not a new type of exploit. You could edit the shortcut after installing a program (but before *using* the shortcut) to remove or change the icon associated with the shortcut. Or you could check if you have KB2286198 installed. > Since freeware is highly bugged - I just wondered if you were avoiding > the program shortcuts. Naw. I just went ahead and installed the update to address the vulnerability and moved on. |