Skip

Oh no, not again.
July 22, 2010 8:52 PM   Subscribe

Computer security experts have recently discovered vulnerability/design flaw with Microsoft Windows that has been part of their operating system that effects all versions of Windows since Windows 2000, including XP, Vista, and Windows 7. (1, 2, 3, 4) "The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts." -- Microsoft

Microsoft is working on a permanent fix for it but there has been no firm timeline for its release. In the meantime, they're recommending several temporary workarounds, one of which involves turning off icons for shortcuts.

On the other hand ... "While attacks using this do seem to be sophisticated, they are at present very limited in nature. Looks like someone crafted this attack for a specific job. The good news from that is that this vulnerability isn’t in wide circulation. So while it could be loaded onto a USB flash drive or CD, or even leveraged remotely via network shares and WebDAV, the chances of you being affected by this vulnerability is as close to zero as to be zero. On top of that, by now most of the top antivirus providers will have updated their signature files in order to be able to detect and defend against this nasty. ... So, should you be worried? No." Adrian Kingsley-Hughes, ZDNet.

If that doesn't put your mind at ease, there's always this.
posted by crunchland (84 comments total) 9 users marked this as a favorite

 
FUCK
posted by DZack at 8:53 PM on July 22, 2010


This is the thing we've seen over and over again - the attitude that says to hell with security, make it do more shit and we'll figure out the rest later. Or hey, maybe we'll get lucky and it'll never come up - our source is closed; who's gonna find it?

I remember when Windows 2000 came out and they trumpeted the fact that Blue Screens of Death were down to a few dozen, from the hundreds that NT had. Even then they were talking up security. Once again we see how, like a basement for a house, you can't easily add security to an OS by piling more weight on a crappy foundation.
posted by Hardcore Poser at 9:00 PM on July 22, 2010


They are referring, of course, to the Google Chrome icon.
posted by swift at 9:01 PM on July 22, 2010 [4 favorites]


If I got paid overtime, I'd be overjoyed at this.

Unfortunately, I do not get paid overtime. This one's gonna suck, because even non-networked machines are vulnerable to some degree.

And they ask me why I, a Windows admin, use a mac at home.
Because I, of all people, know better.
posted by schmod at 9:01 PM on July 22, 2010


Crunchland: I'm a hardcore Mac guy (although I admin mostly Linux and Solaris systems for a living), and I've got a 2Ghz quad-core (dual dual-core Opteron 270s) system with 16G RAM running Ubuntu 10.04 for a general-purpose desktop in the other room.

The more I use it for various things, the more I like it, and it almost feels like I'm cheating on my Mac now.
posted by mrbill at 9:03 PM on July 22, 2010 [1 favorite]


One of the interesting wrinkles of this is that the vulnerability effectsversions of Windows that Microsoft has abandoned in regards to support and security updates. So that old, old computer sitting in the back office of Accounting, running some mission critical utility that hasn't been updated in years, is ripe for exploits.
posted by crunchland at 9:07 PM on July 22, 2010 [2 favorites]




This is the thing we've seen over and over again - the attitude that says to hell with security, make it do more shit and we'll figure out the rest later. Or hey, maybe we'll get lucky and it'll never come up - our source is closed; who's gonna find it?

I wouldn't say that this is a particularly fair assessment. Windows is insecure, because Microsoft are fanatical about maintaining backwards compatibility, which is a huge deal for business customers. Unfortunately, they're striving to maintain backward compatibility with an operating system and set of libraries for which security wasn't even a concern. As such, up until very recently, security was tacked on top (an obviously flawed design). Microsoft have never been about "doing more stuff." You're thinking of Apple. Coincidentally, their operating systems are quite secure by comparison.

I remember when Windows 2000 came out and they trumpeted the fact that Blue Screens of Death were down to a few dozen, from the hundreds that NT had. Even then they were talking up security. Once again we see how, like a basement for a house, you can't easily add security to an OS by piling more weight on a crappy foundation.

This must be anecdotal. I can't think of a single win2k BSOD that wasn't related to a phenomenally crappy driver or hardware fault. Even NT wasn't awful in terms of BSODs, and was also an entirely new OS. The NT Kernel's foundations are actually quite good -- most of the "crap" is the stuff on top, much of which is around to preserve compatibility with old apps.

I can't believe I'm being a Microsoft apologist. There's plenty wrong with their software -- just not what you describe.
posted by schmod at 9:17 PM on July 22, 2010 [1 favorite]


anything that's been in that many versions of an OS isn't a bug, it's a feature
posted by zenwerewolf at 9:23 PM on July 22, 2010


Ashes to ashes
Funk to funky
We know Major Tom's a junky
Strung out in heaven's high
hitting that
all

time

low


Sorry, had to get that out of system after reading the topic title. Wouldn't stop going round my head.
posted by Sebmojo at 9:30 PM on July 22, 2010 [4 favorites]


This is the thing we've seen over and over again - the attitude that says to hell with security, make it do more shit and we'll figure out the rest later. Or hey, maybe we'll get lucky and it'll never come up - our source is closed; who's gonna find it?
What are you talking about? All software has security vulnerabilities. I don't think there's any indication that microsoft today has an attitude of "to hell with security", it sounds like this may be a very hard bug to fix -- one that's not widely known, and one that can't be used remotely, so most people aren't going to be affected. And anyone who runs the free Microsoft Security Essentials AV software should be safe, assuming Microsoft is one of the "Many" AV software vendors who have updated the definition files.
And they ask me why I, a Windows admin, use a mac at home.
As far as Mac Os, there was apparently one open vulnerability as of June 10th and probably others. Apple and Microsoft both do security updates all the time. Generally they are security updates (I guess) that aren't known by malicious hackers, but in this case it was (apparently) a proprietary hack, not something that was widely know and exploitable.


Here is an example of a security flaw that was discovered in BSD and patched quickly in FreeBSD and NetBSD in the summer of 2009, but not in OSX at the time the article was written in january of 2010. It's obvious that lots of spyware targets Windows XP, taking advantage of unpatched systems and naive users.

But the idea that OSX is somehow fundamentally more secure then windows is nonsense, especially since users don't run as Administrator by default on Vista/ Win 7.

----

Anyway, all software has bugs and some of those bugs are going to lead to security vulnerabilities. Things are getting a lot better, though.
posted by delmoi at 9:32 PM on July 22, 2010 [1 favorite]


Can anyone summarize the nature of the bug? From reading the links, it sounds like Windows will load an arbitrary user-specified .DLL in order to display a .lnk icon? Or is it supposed to load a particular system .DLL but the bug allows the .lnk to cause a malicious one to be loaded instead?

One thing I thought was interesting, from your informationweek link:
the malware [has] a valid digital signature from Realtek Semiconductor, a legitimate company. Security researchers are anxious to learn how attackers got their hands on the digital signature [....] "Recalling a certificate from a company like this simply isn't feasible — it would cause an enormous amount of the software which they've released to become unusable," said Gostev.
It is interesting that Microsoft goes the PKI route for security (despite its problems) but is unwilling to do the one thing that PKI is intended to allow you to do for damage control, that is, detect and revoke a compromised key.
posted by hattifattener at 9:34 PM on July 22, 2010 [2 favorites]


No. Windows is insecure because it adheres to outmoded security models. There are a ton of *nix and Mac sploits out there, but very few of them have any impact... simply because Unix/Linux managed to get it right, and there are savage and intense programmers manning the barricades in defense of the Unix model, and only paid and understaffed mercenaries working Microsoft's bizarrely mutated VMS-clone beat.

Those of us in infosec prevention know that the "ecosystem" argument is largely bullshit. Oracle and DB2 are never, ever hacked, despite housing much juicier targets than MySQL and SQL server. MySQL and SQL Server... well... there's a booming new industry in Web Application and Database Firewalls for people who've never heard of Postgres or Oracle or IBM. I'm not complaining, as I earn my daily bread setting up content filtering on the inbound side...
posted by Slap*Happy at 9:34 PM on July 22, 2010 [2 favorites]


This is why I don't use a computer.
posted by TwelveTwo at 9:35 PM on July 22, 2010 [11 favorites]


One of the interesting wrinkles of this is that the vulnerability effectsversions of Windows that Microsoft has abandoned in regards to support and security updates. So that old, old computer sitting in the back office of Accounting, running some mission critical utility that hasn't been updated in years, is ripe for exploits.

Exactly what I was thinking. It's scary when an OS stops being supported.
posted by danb at 9:36 PM on July 22, 2010


I know more people with Macs than PCs. I have a small stack of PCs at my house that I've tried to fix for friends after they got infected in some way, and my success rate is currently running below 50%, so I'm waiting for those friends to dig up their recovery disks so we can reload 'em.

Meanwhile, nobody with a Mac ever asks me for help, and the only things my Linux-using friends ever ask me for is advice on how to configure oddball monitors.
posted by davejay at 9:41 PM on July 22, 2010


I use my Windows 7 machine to use the internet (Metafilter mostly), do word processing and create spreadsheets (Google Docs and Office 2007) and... that's about it.

How will this exploit affect me?
posted by KokuRyu at 9:56 PM on July 22, 2010


delmoi: “Anyway, all software has bugs and some of those bugs are going to lead to security vulnerabilities. Things are getting a lot better, though.”

Mmm... yeah, but bugs and exploits in the dynamic linking architecture? That's day one stuff, innit? I mean, it's sort of the very first route anybody'd go (I imagine) to break admin controls and go nuts in a lot of contexts.

I hate to say this, but I think OSX is more secure in general, simply because these things don't happen there. And I don't pretend that's down to Apple in any way, shape or form. They did happen to base their whole operating system on code from one of the more secure and rational OSes on the planet (FreeBSD) which, for one thing, does dynamic linking in a secure way that actually makes sense. I'm not an Apple hacker, so I have no idea whether OSX retains the same architecture for such things, but I'd imagine they do. And if so, they're right to do so.

At this point, having a secure OS requires as many human beings working as many hours maintaining the system as possible. The notion that Microsoft could ever employ as many people as BSD or Gnu/Linux evaporated in the late 90s; at this point, there are Linux hackers all over the place maintaining and developing and building security, and they do so in a community that tends to get word out when there's a problem to be fixed. Contrast that with the meager crew at Redmond (or the merry band at Cupertino) and it's unfortunately just not nearly the same.

Heck, just look at Linux kernel development, which is by no means the entire Linux or open-source world; the Linux kernel sees over 4300 lines added, 1800 lines removed, and 1500 lines modified per day, making it easily the fastest-moving and largest software project that's ever existed. More devices use the Linux kernel than any other piece of software ever invented. [And that was only as of 2008.] This is development on a scale that a company, like Microsoft or Apple, simply cannot accomplish. And when you think about the fact that FreeBSD and Apache develop on similarly rigorous (although not quite so vast) schedules and timeframes, and that Apache at least can make similarly striking claims about broad and general usage, you have to conclude that we really live in the age of open-source software.

These are days of open development. Security is no different. And single companies, with closed gardens and finite paid workforces, simply cannot mount the kinds of projects that go on in the software world. I think a lot of us came to realize this when it became apparent that Debian was pretty much an uprising of a kind never seen; but if it wasn't clear then, there are a few dozen more reasons now to see it. Little "bugs" like this – honestly, I am stunned, as dynamic links are really an essential thing to secure – just prove the irrelevancy of corporate development further, I think. At least Apple has been smart enough to coattail on top of a system that got it right.
posted by koeselitz at 9:58 PM on July 22, 2010 [6 favorites]


To follow up, yes, there are subtle, custom crafted sploits against high-value targets on high-security systems. IDS and incident response tells us so, and we firewall the shit out of that action, and then set the winged monkeys to "Surrender Dorothy."
posted by Slap*Happy at 10:01 PM on July 22, 2010


Shell Links (.lnk files) have a feature that lets you specify any icon you want as the icon. You can even specify an icon resource in any random DLL. All of the links repeat the same fairly useless bits of information describing the problem, so it isn't clear at all where the actual issue is. But the icon, since it is coming from a source outside the module (outside shell32.dll that is) should be considered untrusted input to a degree.

There have been attacks against image codecs where a malformed image was specifically created to cause a buffer overflow and the payload was encoded in the malformed image. I suspect this is something similar, from the description at link #1 above, but it could be several other things. For example, when you call LoadLibrary() on a DLL the loader will automatically call a DllMain() function if that DLL exports one and now you can run whatever code you want. You're supposed to use the LOAD_LIBRARY_AS_DATAFILE when you just want a resource so no code is executed... maybe they forgot to do that? And there are a bunch of other issues that it could be from these vague descriptions.

It would be interesting to know more. My first thought was, "oh ****, what about FavIcons?" IE uses InternetShortcuts, which are very closely related to ShellLinks, to load FavIcons. If that code path were vulnerable, that would be horrible. The reverse engineering linking it to Control Panel code made me feel much better.
posted by jeffamaphone at 10:03 PM on July 22, 2010 [2 favorites]


bugs and exploits in the dynamic linking architecture? That's day one stuff, innit?

Given the limited data in link #1, the bug is not in the loader, but in how someone is using. The Windows Kernel really is very good and very secure. The Shell and IE has a much weaker record. And even they are getting much better. I would really hate to be the developer who code reviewed this part of the shell during the great security audit of XP-SP2, though I doubt anyone will bother to go looking for them.
posted by jeffamaphone at 10:08 PM on July 22, 2010 [1 favorite]


Once again we see how, like a basement for a house, you can't easily add security to an OS by piling more weight on a crappy foundation.

They have to keep making space for grandpa and grandma, and all the old in-laws and relatives who won't kick up their heels and retire.
posted by Blazecock Pileon at 10:08 PM on July 22, 2010 [1 favorite]


...using it.
posted by jeffamaphone at 10:08 PM on July 22, 2010


jeffamaphone: That makes a bit of sense. Combining what you said with an aside in one of the linked articles, my guess is that the "control panel" subsystem is actually loading, linking, and presumably running code from, the .DLL that it wants the icon from, rather than just grabbing the icon from the library without loading the library.
posted by hattifattener at 10:15 PM on July 22, 2010


That does it. I'm praying for a Mac.
posted by St. Alia of the Bunnies at 10:22 PM on July 22, 2010 [2 favorites]


*panics, sets hair on fire*

Good thing there's beer in the fridge to put that fire out.
posted by stavrosthewonderchicken at 10:27 PM on July 22, 2010


Nice exploit, though.
posted by ActualStackhouse at 10:34 PM on July 22, 2010


When in worry, fear or doubt, run in circles, scream and shout!
Open a ticket with the firewall wonks
Make the unix admins happy and
give their bearded, suspendered gronks!
posted by Slap*Happy at 10:37 PM on July 22, 2010 [2 favorites]


It is interesting that Microsoft goes the PKI route for security (despite its problems) but is unwilling to do the one thing that PKI is intended to allow you to do for damage control, that is, detect and revoke a compromised key.

"At the end of last week Microsoft announced that with consent from Realtek, Verisign has revoked the already-expired certificate used to sign the Stuxnet malware with. However, it seems that this might only be the beginning of a series of highly sophisticated attacks employing similar tactics." Softpedia

And also :

"F-Secure also believes that this malware is designed for industrial espionage, because it looks for Siemens WinCC SCADA systems. Supervisory Control And Data Acquisition (SCADA) systems are used to monitor and control mission critical operations at power- and water-distribution plants, gas and oil refineries or manufacturing facilities." Softpedia
posted by crunchland at 10:38 PM on July 22, 2010


No. Windows is insecure because it adheres to outmoded security models. There are a ton of *nix and Mac sploits out there, but very few of them have any impact... simply because Unix/Linux managed to get it right
What exactly is the "outmoded" security model windows uses? It certainly isn't the case that windows makes users administrator or 'root' by default anymore. So what are you talking about?
Mmm... yeah, but bugs and exploits in the dynamic linking architecture? That's day one stuff, innit? I mean, it's sort of the very first route anybody'd go (I imagine) to break admin controls and go nuts in a lot of contexts.
I'm not really sure how to respond to that, since it's mostly just a mismash of computer terms, by "dynamic linking architecture" you could mean either DLL loading or how the shortcut system works, since it's kind of a vauge non-specific phrase and both are involved here.

Let's assume you mean DLL loading. In that case, the problem with your statement is that it's wrong. That's not where is. At all.

If you mean how shortcuts work, then you're closer but using really wrong terminology. And anyway, the bug is in how the icons for shortcuts are loaded, which is A) not where anyone would probably look in most cases and B) security glitches can actually happen anywhere, but this would definitely have been an out of the way, not looked at much area.
I hate to say this, but I think OSX is more secure in general, simply because these things don't happen there.
The problem here is that you're wrong and they do. This is an example of a security flaw. Security flaws are found in OSX all the time. I linked to some examples. To say otherwise is just counterfactual. This is not an example of spyware/malware which does target windows more often, unfortunately. As far as individually crafted attacks (which is what this was) Apple machines are just as vulnerable.

Remember, what happened here is that an attacker, apparently, used a previously unknown exploit to hack a specific machine or network. That is just as likely on OS X. The only reason we know about it is because microsoft publicized it. Would Apple make a public announcement if the same thing happened to OS X? Given their non-admissions of the iPhone antenna problems I'd say it's pretty unlikely.
They did happen to base their whole operating system on code from one of the more secure and rational OSes on the planet (FreeBSD) which, for one thing, does dynamic linking in a secure way that actually makes sense.
Yeah. This is also wrong. OS-X was based on the Match kernel and it has a BSD comparability layer, which is like saying Windows is based on Unix because cygwin exists.

Also, can you explain how libraries are loaded on windows and in Free BSD? I kind of doubt it, and if you can't then how can you say one is more secure then the other? (or, if you were talking about shortcuts, then what's the difference there? Of course the BSD system doesn't deal with Icons at all, those would be handled by whatever user-mode file manager the user is using, etc)
At this point, having a secure OS requires as many human beings working as many hours maintaining the system as possible. The notion that Microsoft could ever employ as many people as BSD or Gnu/Linux evaporated in the late 90s; at this point, there are Linux hackers all over the place maintaining and developing and building security
I'm pretty confident in the security of the Linux Kernel. But you see security problems crop up in user-mode software all the time. Anyway, the security of the Linux kernel has no impact on OS X. So the rest of your comment about how awesome Linux is is kind of irrelevant.
posted by delmoi at 10:47 PM on July 22, 2010 [6 favorites]


That does it. I'm praying for a Mac.

Despite the way many Apple fans worship Steve Jobs as a living god, most people usually just buy one.

Or you could download and install Ubuntu. Right from inside of Windows.
No nerd magic, theistic belief system or divine intervention required. Heck, the Windows installer that I just linked you to will even leave your Windows system alone, and it's more secure and possibly even more user friendly than Mac OS X.

No, seriously. You should try it. It's now easier than making a box of macaroni and cheese. Depending on the speed of your connection and computer it might even take less time. It's literally the easiest, most painless installation of any software product I've ever seen anywhere. It's about a million times less confusing than installing a set of HP printer drivers.

Yes, you can uninstall it, too. From inside of Windows. It'll vanish as though it was never there.
posted by loquacious at 10:51 PM on July 22, 2010 [6 favorites]


What exactly is the "outmoded" security model windows uses?

Better to ask what it does not use: Least user access, aka LUA. Accountability, auditibility, access, aka AAA. Man, I could go on... but! Unix does this well, hardened Unix does it better. Windows can't even compete here, ask any CISSP...
posted by Slap*Happy at 10:53 PM on July 22, 2010


"F-Secure also believes that this malware is designed for industrial espionage, because it looks for Siemens WinCC SCADA systems. Supervisory Control And Data Acquisition (SCADA) systems are used to monitor and control mission critical operations at power- and water-distribution plants, gas and oil refineries or manufacturing facilities."
Fascinating. It wouldn't surprise me if this was done by the Russian government, which just got a copy of Window's source code, probably to spy on Gazprom's rivals. (Or it could have been any oil company, trying to get measurements on other oil companies reserves and production rates.)

But these were hackers writing specific software against specific targets. If the software had been running OS X, the hackers could have used an OS X exploit just as easily, especially since they're capable of finding new exploits and keeping them secret.
posted by delmoi at 10:53 PM on July 22, 2010


Better to ask what it does not use: Least user access, aka LUA. Accountability, auditibility, access, aka AAA. Man, I could go on... but! Unix does this well, hardened Unix does it better. Windows can't even compete here, ask any CISSP...
Are those technologies or just practices? Why can't you use them on windows? Certainly you can create restricted accounts.
posted by delmoi at 10:58 PM on July 22, 2010


Ummm! Windows theoretically has a more secure model than Unix, with its concentric circles. In the real world? Once someone worms their way past it, they generally gain control of the system entire, from the bootblock up. They don't even need to know a single line of code, the automated 'bots take care of that for them.

I have dueled in the mailing list with the uber haxorz working on OpenBSD - they will never, ever admit they are wrong, and instead code around security weakpoints, and document the hell out of it for the admins and infosec luzerz. Result? You can't hack this.

Apple, once they fixed it, admitted to stuff bjeing bjorken... and they are a glimmering beacon of perfection in the non-open-source infosec field of "Shoulda told us sooner!"

Once sploits are in the wild, Apple generally (not always, but generally) has hardened their shit to laugh it off.
posted by Slap*Happy at 11:28 PM on July 22, 2010


Of course the BSD system doesn't deal with Icons at all, those would be handled by whatever user-mode file manager the user is using, etc)

Hey that's a pretty cool idea- doing shit in user mode. Maybe that could make systems more secure.
posted by Jpfed at 11:30 PM on July 22, 2010


Once sploits are in the wild, Apple generally (not always, but generally) has hardened their shit to laugh it off.

Yep. And if OS X was really as badly vulnerable as the bloggers say, the number of affected machines would go up as there are more Macs out in the wild. Better design and better support does make a better product, in this case.
posted by Blazecock Pileon at 11:37 PM on July 22, 2010


delmoi: “I'm not really sure how to respond to that, since it's mostly just a mismash of computer terms, by "dynamic linking architecture" you could mean either DLL loading or how the shortcut system works, since it's kind of a vauge non-specific phrase and both are involved here.”

Gah, I always forget what DLL stands for. No, I'm not talking about DLLs. I'm talking about file linking – whatever it is I'm making whenever I do ln, I guess for some ridiculous reason I've always called them "dynamic links" – which is frankly a pretty important subsystem, right?

“And anyway, the bug is in how the icons for shortcuts are loaded, which is A) not where anyone would probably look in most cases and B) security glitches can actually happen anywhere, but this would definitely have been an out of the way, not looked at much area.”

It has to have been somebody's idea to have a link load the whole library when it picks up the icon. And it seems like anybody would see the problem there. Moreover, when you start making linking possible in the first place you're opening up all kinds of security potentials, and since they're necessary to build any kind of modern filesystem they're sort of an important place to look for security problems, no?

delmoi: “or, if you were talking about shortcuts, then what's the difference there? Of course the BSD system doesn't deal with Icons at all, those would be handled by whatever user-mode file manager the user is using, etc”

The whole architecture is completely different, so it's odd to try to compare them, but: one of the essential differences in FreeBSD is that all system software is compiled on the machine, so libraries are less often accessed unexpectedly. This allows for more secure signing of those libraries as they're installed, and it allows the system greater secure control over what libraries are authorized than it would have even in Linux, BSD's closest cousin; libraries outside the standard set known to be needed for installed software are usually turned off to begin with. (I'm pretty sure BSD machines don't use local libraries by default, for example.) And the simple fact is that there are enough structural differences in the way the systems are built that you'd never be able to do this on FreeBSD because of that fact; Gnome and KDE (the windowing systems and graphical shells) don't access the system at a root level, and that means that (particularly in FreeBSD) it wouldn't even make sense to try to convince an icon to access a random malicious library that somehow happened to be lying around, much less do so through a link.

So there's a sense in which this is bound to be a Windows-specific exploit (and it's not Microsoft's fault to that extent).

Mainly what I objected to in your comment above was what I took to be a bit of a sneering tone. You're the one who made OS X a big ol' issue, when this is not about this architecture or that architecture – it's about a Windows problem, and we don't need to rehash all of these old "oh you smug OS X people are so awful" arguments here. But I'm probably reading into it too much, and for that I apologize. It's late, and I'm going to bed.
posted by koeselitz at 11:42 PM on July 22, 2010 [3 favorites]


This Knowledge Base article contains an automated workaround that replaces all short cut icons with a default blank sheet of paper icon, the same one you see when, for example, a website doesn't have an icon for FireFox or whatever browser to load. It also tells you how to do the same thing manually.

The documentation says the problem is that ""When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut." The workaround disables .LNK and .PIF file use by blanking the value for this registry key -- HKEY_CLASSES_ROOT\piffile\shellex\IconHandler.
posted by msalt at 12:50 AM on July 23, 2010 [1 favorite]


As far as Mac Os

Reading that as Mac'Os makes me want a breakfast cereal with little wheat MacBooks and coloured marshmallow chunks in the shape of the original iMac.

Make it happen, Jobs!

although I just know it'll cost like £50 per box in the UK :(
posted by ArmyOfKittens at 1:12 AM on July 23, 2010 [1 favorite]


And $76 per box in the US. Of course, John Gruber and the like will talk at length about how nice it is to have a cereal that Just Digests, and how you never have to worry about the allergic reactions and choking that constantly happening every day to every consumer of other cereals.
posted by kafziel at 1:33 AM on July 23, 2010 [4 favorites]


Hey that's a pretty cool idea- doing shit in user mode. Maybe that could make systems more secure.
Yeah, which is probably why windows works that way. Explorer runs as a regular user process (which means that this exploit couldn't theoretically do anything a regular user couldn't do, actually).

Windows only runs device drivers in "Ring 0", System services run as the System user, and user programs (including the windows shell) run as the user.
Yep. And if OS X was really as badly vulnerable as the bloggers say, the number of affected machines
How many machines were "affected" by this hack? As far as we know, just one. It was a one off hack designed for a specific target. Whoever did it would have probably had the resources to target macs just as easily, if the critical systems had been running on Mac OS. But how common is that? (but I would imagine that for high level espionoge the personal machines of high level machines are targeted)
I guess for some ridiculous reason I've always called them "dynamic links" – which is frankly a pretty important subsystem, right?
No. Windows has "real" hard and soft links now and they work the same was as in Unix. But when you're talking about a "Windows shortcut" they're really just text files with some meta data and the path of the target file in plane text. You can literally opent them up in notepad and edit them if you want. They actually end in .lnk.

They're features of the file manager not of the core OS. And what are the odds that there are security level bugs in things like GNUStep, Gnome, and the dozzens of window managers and file explorers under linux? My guess is pretty high. For example Here is a vulnerability in Gnome's built in image viewer that allowed remote code execution. here is a local exploit for KDE. I'm sure you could find tons of vulnerabilities if you looked around like this.

"True" windows soft/hard links (like the ones you make with ln on unix systems) are not affected by this. It's only explorer shortcuts (.lnk files) that are affected.

(and as I said, explorer actually runs as whatever user you currently are, which limits the impact of this glitch a lot, especially on Vista/Windows 7 where users don't run as admin by default)
and since they're necessary to build any kind of modern filesystem they're sort of an important place to look for security problems, no?
As I said, this has nothing to do with actual file system level links.
So there's a sense in which this is bound to be a Windows-specific exploit (and it's not Microsoft's fault to that extent).
Well, right, but you would never see security bugs caused by X-Windows or by window managers or whatever on windows. Different ways of doing things are going to cause different security problems.
posted by delmoi at 1:44 AM on July 23, 2010 [1 favorite]


I poured out my beer on top of my burning hair, and the brushfires have subsided and man, I gotta tell you: it didn't taste very good at all.

But at least I'm summer-cooled, and kinda drunk, and not a goddamn thing has changed in terms of my computer security. Just like every other time the fucking digital sky was falling.

You dinguses.
posted by stavrosthewonderchicken at 4:02 AM on July 23, 2010


How will this exploit affect me? -- KokuRyu : Well, if you believe the statement that it was developed as a highly targeted attack on a particular type of control system for electric power plants, at this point, it will probably not effect you, personally, aside from the whig-out-end-of-the-world, paranoid-terrorist-taking-over-our-infrastructure angle, and there's not even enough information to jump to that conclusion. As far as whether it will affect your computer, that depends on how quickly Microsoft can turn around a real barrier to it. The hacker world now knows the exploit exists, and it's possible there's a guy pounding red bull right now making the überist über worm of all time, so it's a race. The exploit is such that even looking at the directory listing of an infected USB drive or CD/DVD, not even clicking on anything, is enough to get infected. If the exploit can be used with a favicon, it'll be pretty effing disastrous. Since Microsoft's work-arounds aren't really practical, there's nothing you can do to protect yourself at this time, aside from jumping ship and moving to mac or ubuntu.

For now, don't take any USB drive or CD/DVD from anyone, and hope Microsoft or some third-party comes up with something soon.
posted by crunchland at 5:23 AM on July 23, 2010 [1 favorite]


Oh, and don't open a Word document from someone you don't know, as it's apparently possible to embed an infected shortcut icon into a MS office document.
posted by crunchland at 5:27 AM on July 23, 2010


No. Windows has "real" hard and soft links now and they work the same was as in Unix.

No, it doesn't -- at least, not as Unix defines them, and no, they don't, because how hard and soft links work in Unix is very much a function of the Unix filesystem design.

Windows does have reparse points, which can act like hard links, but only on directories. Win7 and above have symbolic links, but they're a very different critter than the ones in Unix - indeed, I wonder how many people have actually used them. (Hint: Have you typed mklink? If not, you have not used a symbolic link in Windows. )

Windows has had Shortcuts for a long time, which are neither hard, nor symbolic, links. They are files, and most things see them as files, with the exception of the Windows file managers and shells, which will read them and retarget to the file the shortcut points at.

So: Win7 and above does have symbolic links, but they're new and most have never run the command line utility to actually use them. Windows since Win2K has had a limited form of hard links that run on directories only. Windows has, in effect, shell scripts with icons to implement shortcuts.

They're useful things, but they're not Unix hard links (which are copies of the directory entry inode) or symbolic links. They act very differently.

Do not conflate them.
posted by eriko at 5:45 AM on July 23, 2010 [3 favorites]


It's interesting how there aren't many truly malicious worms / viruses out there anymore. Sure a security model that runs everything in user mode and protects the OS is great but if it wipes out your iTunes collection will you really care?
posted by smackfu at 5:59 AM on July 23, 2010


Well, there is the Conficker worm out there. It's pretty elegant in the way it was designed and written, and the payload has yet to be deployed, but the estimates I could find say that it has infected +15 million machines across the world.
posted by crunchland at 6:44 AM on July 23, 2010


I heard about this in the context of SCADA from a friend who works in the pipeline software business. Without going all "omg terrorists will blow pipelines up!", it's actually kind of scary to me. Screwing around with SCADA systems is bad news. It's not just the industrial espionage potential; it's things like if your gas pipeline is leaking and you don't figure it out in time because there's something wrong with your data. Minor pipeline accidents caused by blundering around will kill people just as dead as terrorist incidents.
posted by immlass at 7:54 AM on July 23, 2010


It's interesting how there aren't many truly malicious worms / viruses out there anymore. Sure a security model that runs everything in user mode and protects the OS is great but if it wipes out your iTunes collection will you really care?

There's no money in wiping out your iTunes collection.
posted by me & my monkey at 8:18 AM on July 23, 2010


it's things like if your gas pipeline is leaking and you don't figure it out in time because there's something wrong with your data. Minor pipeline accidents caused by blundering around will kill people just as dead as terrorist incidents.

Well, it's not just that. It's also that of all the "if it aint broke don't fix it" systems in a facility, the ones that talk to and manage control hardware are near the top of the list. Often times these machines won't even be on the network - they are usually on a segregated network if they are on one at all.

Of course, they're running Windows 3.0 (no, not 3.11 that would cost money) on a 286 sitting in a shelf under 4 inches of dust detritus with a faded and phosphor burned 13 inch monitor attached. You'd like to upgrade it, but it's stack pollution sensor and the company that made the device got bought by a competitor, the engineer who built the ISA card that talks to it has long since retired and died, and the programmer who wrote the app is no where to be found and the source code is rotting away on some tape archive in a vault somewhere. So you gotta replace the whole bag of rice just to get rid of that one grain.

Even if you could solve those problems, the EPA will be all up in your shit because now your messing with an environmental control and there's this regulation and that rule to satisfy....
posted by Pogo_Fuzzybutt at 8:32 AM on July 23, 2010


Windows has had Shortcuts for a long time, which are neither hard, nor symbolic, links. They are files, and most things see them as files, with the exception of the Windows file managers and shells, which will read them and retarget to the file the shortcut points at.

In fairness, this isn't just a Windows thing; MacOS has used a similar concept, called an "alias", for years. It's a regular file as far as the filesystem is concerned, but the OS (at least certain system calls) will read it and then redirect to the file it points to.

OS X added Unix-style links (real and sym), and the OS will treat a symlink in an almost-but-not-quite identical way to an Alias, but you can still do all three as far as I know.

The advantage of Windows' .lnk and MacOS's alias implementation is that they don't break if you move the target file around; they're not just pointers to a particular path, but to an actual file. Not sure about Windows, but on a Mac you could click a alias to a file on an unmounted filesystem and it would prompt you to insert the disk. Not so much any more, but back in the day when people had small hard drives and stacks of floppies everywhere, that was a fairly slick feature.
posted by Kadin2048 at 8:34 AM on July 23, 2010


OS-X was based on the Match kernel [...]

Mach. (Pronounced "mock".) FWIW.
posted by Crabby Appleton at 8:39 AM on July 23, 2010


There's no money in wiping out your iTunes collection.

Back in my day we wrote viruses because we were unchallenged by university dammit.
posted by smackfu at 8:39 AM on July 23, 2010


"I know more people with Macs than PCs. I have a small stack of PCs at my house that I've tried to fix for friends after they got infected in some way, and my success rate is currently running below 50%, so I'm waiting for those friends to dig up their recovery disks so we can reload 'em."

This anecdote says either something really bad about windows or something really bad about your windows admin skills.
posted by Mitheral at 8:41 AM on July 23, 2010 [1 favorite]


Oh, and don't open a Word document from someone you don't know, as it's apparently possible to embed an infected shortcut icon into a MS office document.

Haven't malicious scripts long been an issue with MS Office documents? Will this new exploit be recognized by anti-virus programs that scan downloaded docs?
posted by KokuRyu at 8:47 AM on July 23, 2010


I'd be willing to bet an entire paycheck that there are exploitable design flaws in OSX and in every flavor of unix out there, and the only reason why they are more secure than Windows is because the user base of them is so small, it's not worth the effort. Why go after a minnow when you can go after a whale?
posted by crunchland at 8:47 AM on July 23, 2010


Oh, Windows. You make me so happy sometimes.
posted by atbash at 8:48 AM on July 23, 2010


Secunia: Apple software has the most holes.

In the past three+ years Microsoft has reacted very swiftly to vulnerabilities. I don't know how they could do any better given the size of their installed base and complexity of their software. Compare, say Adobe, whose crap is installed on almost every computer in the world and has numerous vulnerabilities that take months to fix.

The underlying problem with Microsoft, Apple, Oracle, Adobe, and even hyper-conscious OpenBSD is that the way we write software is broken. Software objects are incredibly complex and some of the bricks we use to build them are crumbly.
posted by Nelson at 8:58 AM on July 23, 2010


Compare, say Adobe, whose crap is installed on almost every computer in the world and has numerous vulnerabilities that take months to fix.

I hate to agree with this, being a guy who works with both Acrobat and Flash for money, but man this is so true. Adobe Reader is death right now. It has all this client-side functionality that lets you run scripts, embed multimedia content (and arbitrary bad stuff), and all that stuff is really aimed at the less than 1% of people who use LiveCycle. But there are some flaws baked right into the PDF format, so that even third-party tools like Foxit Reader aren't safe!

Right now, when I'm asked about PDF security issues, my general recommendation is to use Google Docs to view them - Docs can convert them to HTML and you can safely look at that. And that's just sad.

And best of all, PDF exploits tend to be cross-platform! Of course, nobody bothers writing payloads for Macs, but the hooks are all in place to do bad things in the security context of the user viewing the PDF.

But, all that ties in nicely with Didier Stevens' blog. He does a lot of work with PDF exploits, but has some timely info about mitigating this lnk vulnerability.
posted by me & my monkey at 9:36 AM on July 23, 2010 [1 favorite]


is installed on almost every computer in the world and has numerous vulnerabilities

Those aren't unrelated facts.
posted by smackfu at 10:07 AM on July 23, 2010


The thing that's really notable about this is that it's the first one Microsoft won't be patching for XPSP2. Let's hope there aren't a bunch of industrial control systems running pre-SP3 Windows that regularly take USB sticks to load commands from. Since that does appear to be the target..

Why on Earth companies insist on using Windows for things like ATMs and CNC machines and whatnot I'll never figure out. At least with an Open Source system, whatever it may be, you can hire someone to backport the patch to whatever you're running, even if support has long since lapsed.
posted by wierdo at 10:29 AM on July 23, 2010


Why on Earth companies insist on using Windows for things like ATMs and CNC machines and whatnot I'll never figure out.

Because Microsoft really sold Windows development well. Microsoft makes it easy to get SDKs, developer tools, training, support etc. I remember when I was using OS/2 (which used to be common for these sorts of things) that IBM made you jump through all sorts of hoops to develop. And developers go where the users are, too - it makes sense to learn how to develop for Windows generally, because you can sell applications.
posted by me & my monkey at 10:42 AM on July 23, 2010 [1 favorite]


Since Microsoft's work-arounds aren't really practical...

Why not? I'm no expert, but it sounds like the icon blanking workaround eliminates the problem. I installed it, and yes it's pretty annoying to have to mouseover links instead of looking at their pictures, but it is doable.

Now, whether it's worth the trouble in relation to the risk, I'm not sure. But I think it does eliminate the risk. Please correct me if I'm wrong.
posted by msalt at 10:51 AM on July 23, 2010


Do you want to tell Betty in human resources why the icon on her desktop that she uses to access the word processor is a white square instead of a blue W, or shall I?
posted by crunchland at 10:56 AM on July 23, 2010


Oh, not in a work environment, I just meant for an individual on a home computer. Like, say, me.

I've worked as a computer trainer for years, I totally hear you.
posted by msalt at 11:17 AM on July 23, 2010


Apple vulnerabilities are not just a possibility. The argument from Apple fans has been that even if MacOS is less secure (quite arguably true), it's not targeted as much. That's starting to change, though. There is a real, serious Safari vulnerability right now -- http://9to5mac.com/node/20062. Given how easy it is to do, Safari has enough marketshare to make this attack worthwhile.

(summary: if you use Safari, disable AutoFill or any autofill data can be hijacked)
posted by wildcrdj at 12:04 PM on July 23, 2010


The Cansecwest has a Pwn2Own contest each year. Basically the contestants can pick any one of a selection of major OS/Browser combinations to attack and the first one to compromise any system wins.

2008: First to fall was a MacBook Air
2009: First to fall Safari on Mac OSX
2010: First to fall iPhone followed by Safari/Mac OSX

You're not safer using Mac OSX because of any inherent feature in that operating system, you're safer because of the much higher aggregate value of the target represented by a different operating system.
posted by robertc at 3:18 PM on July 23, 2010


Well, you and I may know that Mac OSX is not inherently safer than any other platform, but I'm going to keep this Apple sticker on my windows box just to be safe.
posted by TwelveTwo at 5:47 PM on July 23, 2010


Interesting. I saw what must have been an emailed exploit for this in the wild yesterday- a couple of lines of portuguese gibberish and a few things, labeled DSC1084.jpg (for example) but that downloaded as .cpl files. My debian box laughed at them of course, but yikes.
posted by hap_hazard at 5:48 PM on July 23, 2010


So I'm guessing this has something to do with my question from last week.
posted by charred husk at 6:57 PM on July 23, 2010 [1 favorite]


Interesting. I saw what must have been an emailed exploit for this in the wild yesterday- a couple of lines of portuguese gibberish and a few things, labeled DSC1084.jpg (for example) but that downloaded as .cpl files.

Huh? cpl files are executable on their own, it has nothing to do with this exploit, which requires you to mount a folder (such as from a USB disk or something) to run the 'sploit.
posted by delmoi at 8:26 PM on July 23, 2010


You're not safer using Mac OSX because of any inherent feature in that operating system, you're safer because of the much higher aggregate value of the target represented by a different operating system.

Oh, that tired old argument again, just as silly as ever. There are a lot of different factors you have to consider when you declare something "more secure." The vendor's attitude toward patching major security holes is one of them. (Apple doesn't care about bugs unless it affects the public's perception of them and therefore their bottom line; Microsoft seems to be lackadaisical in general.) How quickly you can get into a system whose user clicks indiscriminately on every link you send them—which is nothing near a typical usage pattern for a desktop OS—doesn't allow you to pronounce one system more secure than another.
posted by one more dead town's last parade at 12:04 AM on July 24, 2010


Oh, that tired old argument again

What argument are you referring to? My post was pointing out that, under targeted attack, there's evidence that Mac OSX succumbs more quickly than either of the other two common desktop operating systems and then offering an explanation as to why, despite this, they are the victim fewer attacks in the wild than Windows systems.

How quickly you can get into a system whose user clicks indiscriminately on every link you send them—which is nothing near a typical usage pattern for a desktop OS—

No-one suggested it was, I'm not sure why you think this is relevant?

doesn't allow you to pronounce one system more secure than another.

I suggested the users of Mac OSX were more secure not because their systems were inherently more secure than those of Windows users but because they collectively presented a less desirable target.
posted by robertc at 5:02 AM on July 24, 2010


...which is not at all true for smartphone malware, where the iPhone is dominant.
posted by msalt at 9:36 AM on July 24, 2010


Apple's not as dominant as you'd think in smartphones. Globally Symbian is #1 by a long shot (44%). Then it's RIM/Blackberry, Apple, and Android (44% combined), then Windows and Linux.

I think the reason we haven't seem more smartphone malware is so far they're not very attractive targets compared to PCs. Most PC botnets seem to be used for sending spam, performing DDoS attacks, and stealing user credentials. The carrier-controlled networks have limited how much of that you could do from a smartphone, although the rise of Apple and Android platforms on wifi is lifting that limitation. I'm a little surprised we haven't seen more phone worms distributed out of pure glee/malice.
posted by Nelson at 10:46 AM on July 24, 2010 [1 favorite]


Last month, someone uploaded a plug in to Mozilla's plug-in site called "Mozilla Sniffer." It was tagged as being experimental, and pretending to be a security extension to view HTTP/HTTPS headers. Apparently, 1800 people downloaded it before Netcraft and Mozilla realized it was designed to do nothing more than capture and forward data related to form fields (esp. uids and passwords) and forward them to the author. Mozilla has since pulled the program, added it to the "do not run" blacklist, and is reviewing their policy about allowing unverified submissions to be made public.
posted by crunchland at 11:06 AM on July 24, 2010


My post was pointing out that, under targeted attack, there's evidence that Mac OSX succumbs more quickly than either of the other two common desktop operating systems

You're actually talking about Safari, which isn't an operating system. (And Linux wasn't even tested.)

No-one suggested it was, I'm not sure why you think this is relevant?

Because it was the basis of the Pwn2Own contest that you linked to.

I suggested the users of Mac OSX were more secure not because their systems were inherently more secure than those of Windows users but because they collectively presented a less desirable target.

And I'm still waiting for evidence of that. The Pwn2Own results provide nothing of the sort.
posted by one more dead town's last parade at 6:46 PM on July 24, 2010 [1 favorite]


You're actually talking about Safari, which isn't an operating system.

No, I'm actually talking about a competition to compromise the operating system by exploiting the browser.

(And Linux wasn't even tested.)

From the 2008 event:
We'll update this blog posting in the event another winner emerges today for the Vista or Ubuntu laptops that remain standing.
Both the 2009 and 2010 events had Android as one of the targets in the mobile device part of the contest, so Linux was represented there too, if not so heavily.

Because it was the basis of the Pwn2Own contest that you linked to.

Which part of the Pwn2Own contest involves a user that "clicks indiscriminately on every link you send them"?

And I'm still waiting for evidence of that.

Now I'm not sure what you're waiting for evidence of? I think we might have similar viewpoints but I'm not making myself clear enough, let me try to summarize:

Your first reply seemed to indicate that you felt both Microsoft and Apple have a less than ideal level of security, which was actually the point of the post you were replying to: In response to several comments which had been critical of the MS security track record and saying how much more secure Mac OSX was because of it's BSD core, I was pointing out that, under direct attack, as exemplified by the Pwn2Own contest, Apple OSes are at least as vulnerable, if not more, than Windows ones.

So, to summarize my position that you're (apparently) disagreeing with:

1. Windows is insecure (as evidenced by the existence of this thread)
2. Mac OSX is insecure (as evidenced by Pwn2Own)
3. The majority of malware in the wild targets Windows (which I would have thought is self evident, but I'm sure some stats can be dug up if necessary)

My conclusion from the above three points is that Mac OSX users, in general, are safer only because malware, in general, targets Windows, and not because they are using an operating system with special security sauce.
posted by robertc at 11:37 AM on July 25, 2010


Which part of the Pwn2Own contest involves a user that "clicks indiscriminately on every link you send them"?

I can't think of another way to test browser security that doesn't involve a lot of mind-numbing waiting. You can't get a browser to execute malicious code without getting it to load that code.

I was pointing out that, under direct attack, as exemplified by the Pwn2Own contest, Apple OSes are at least as vulnerable, if not more, than Windows ones

Again, Pwn2Own is a test of web browsers, not of operating systems—at least in its 2010 incarnation. While they make no explanation of what they consider to be a successful exploit (being able to execute arbitrary code is bad, but doing it as the superuser is an entirely different kind of bad).

In any case, there's no indication that the machines that Pwn2Own sets up as targets are configured in a way that's typical. It doesn't matter if a locked-down Windows is harder to break into than a locked-down Mac OS X when the overwhelming majority of users doesn't do its work on such a machine. What matters is how vulnerable a typical install is. It's quite a stretch to say that the quantity of malware out there for Windows is due to OS X's smaller market share. OS X is still underrepresented in terms of malware despite its market share. Why?
posted by one more dead town's last parade at 9:58 PM on July 25, 2010 [1 favorite]


You can't get a browser to execute malicious code without getting it to load that code.

OK, but tricking a user into visiting a web page isn't the same thing as clicking indiscriminately on everything. Unless you're suggesting that there's some feature of one OS or another that stops users following interesting looking links then I don't think it makes much difference.

While they make no explanation of what they consider to be a successful exploit

I think it's arbitrary code, in the OS, without privilege escalation.

OS X is still underrepresented in terms of malware despite its market share. Why?

For the same reason it's under represented in terms of network gaming, why try to reach ~20% of the market when, for the same effort, you can reach ~80%? What special security features do you think Mac OSX has that Windows doesn't that explains the disparity?
posted by robertc at 2:35 PM on July 26, 2010


Is it underrepresented in tablet device malware?
posted by msalt at 9:21 AM on July 27, 2010


OK, but tricking a user into visiting a web page isn't the same thing as clicking indiscriminately on everything.

No, but it's the only fair way to anyone to test whether a browser exploit works.

Again, though, a test of different web browsers on different operating systems does not amount to a substantive test of the operating systems (or the browsers) themselves. If I hired someone to assess risks, and they used this contest as though it were reliable data, I'd start looking for someone who actually knew what they were doing.
posted by one more dead town's last parade at 8:17 AM on August 2, 2010


Just in case anyone is still paying attention, regarding the original Windows exploit from the OP, a third party organization, Sophos Security, has released a patch that will protect you from the exploit and allows you to keep your icons. More information is available here,
posted by crunchland at 7:28 PM on August 2, 2010


« Older Smarter than the average bear   |   everyday people Newer »


This thread has been archived and is closed to new comments



Post