Security Watch

Microsoft Cures LNK Flaw with Early Patch

Plus: Microsoft, Adobe team up on flaw research; IE 8 privacy controls handling debated.

Microsoft begins the week by issuing a "critical" out-of-band patch for a vulnerability that's in every supported operating system, including Windows XP, Windows Server 2003, Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. Microsoft issued a security advisory and work-around for the Windows Shell remote code execution bug in July.

Windows Shell is a key graphic interface component that uses .LNK files to create shortcut icons enabling quick access to program files. Earlier reports say in-the-wild exploits can be unknowingly triggered when users click on "specially crafted shortcut" icons located on a removable USB drive. It can also happen when a hacker purposely uploads the faulty code via a USB drive and waits for another user to come along and trigger the flaw that's now on an infected system.

With the normal Patch Tuesday scheduled for Aug. 10, Redmond was early on this one because it said the vulnerability is "currently being exploited in malware attacks."

"Remote attacks through e-mail or websites are theoretically possible, but require multiple steps and user interaction," adds Wolfgang Kandek, CTO of Qualys. "Nevertheless disabling SMB (Sever Message Block) SMB and WebDav (Web-based Distributed Authoring and Versioning) protocols in the outbound rule set of internet facing firewalls is a measure that provides additional protection against the remote attack vector."

Even with the issue of the off-cycle bulletin, there are two dark-horse factors to consider:

  • Windows 2000 and XP SP2 users will not be covered with the patch despite the fact the the vulnerability has lasting effects on those systems and their users.
  • Kandek and others contend that Microsoft's work-around in Advisory KB 2286198 has serious impact on the usability of the system, as desktop icons are all replaced by standard generic representations and navigation is hampered.

MS, Adobe Team Up on Vulnerability Research
In an initiative that moves two software giants even closer in their security efforts, Microsoft is hooking up with Adobe Systems to share exploit info. This announcement comes on the heels of formal collaborations that have been more than a year in the making.

More recently, the two companies shared Microsoft's sandbox security technology for use in Adobe Reader PDF software. Specifically, Redmond extended its Microsoft Active Protections Program to include vulnerability information sharing from Adobe. Mike Reavey, director of the Microsoft Security Response Center, said Redmond is offering MAPP benefits to Adobe because Microsoft has seen clear evidence of such initiatives having an impact in the advancement of customer protection.

Through the program, Adobe will be able to share its software vulnerability information with the 65 members of the MAPP organization.

Privacy for IE Users Stamped Out
A piece in Monday's The Wall Street Journal reports on a heated debate within the ranks of Microsoft to create privacy settings within Internet Explorer 8 to keep Web surfers from being tracked by advertisers. The article goes on to say that in the name of strategic aims, the prevailing voice within the executive suite was one that favored "quashing" the effort to boost privacy.

The move to install tracking files within IE and use cookies, browser session info, and search history to build consumer profiles grouped with IP addresses or licensed Windows users is nothing new. Neither is it necessarily a malicious undertaking, especially in the contentious battle for advertising dollars with Google.

Here's the catch-22: If advertisers can follow ID tags and user experience and preference data-packet-dossiers can be sold to third-parties, who's to say adware and spyware makers can't begin to collect tracking file information too?

As the article points out, IE still has a 60 percent market share on the browser market and plays a pivotal role in protecting user privacy.

While IE 8 is considered the most secure browser Microsoft ever released and while any savvy Web surfer knows how to deaden their digital trail by using Internet Options to clear their cache or reset their cookies, there's always third and fourth layers of sophistication in remote code execution that administrators must consider. Because if there's one certainty about Web security, it's that hackers often pave the road to intrusion with the good intentions of developers, vendors and users.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus