The story continues. Microsoft released their Security Advisory with workarounds regarding the „ .lnk vulnerability “ described in our previous blog post. To help you protect your systems, here are the two official workarounds, or you can visit the official Microsoft website to find the whole article:
Microsoft Security Advisory (2286198)
http://www.microsoft.com/technet/security/advisory/2286198.mspx
Disable the
displaying of icons for shortcuts
Note Using Registry Editor incorrectly
can cause serious problems that may require you to reinstall your operating
system. Microsoft cannot guarantee that problems resulting from the incorrect
use of Registry Editor can be solved. Use Registry Editor at your own risk. For
information about how to edit the registry, view the "Changing Keys And
Values" Help topic in Registry Editor (Regedit.exe) or view the "Add
and Delete Information in the Registry" and "Edit Registry Data"
Help topics in Regedt32.exe.
|
1. |
Click Start,
click Run, type Regedit in the Open box, and then click OK |
|
2. |
Locate and
then click the following registry key:
|
|
3. |
Click the File
menu and select Export |
|
4. |
In the
Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save |
|
5. |
Select the
value (Default) on the right hand window in the Registy Editor. Press Enter
to edit the value of the key. Remove the value, so that the value is blank,
and press Enter. |
|
6. |
Restart
explorer.exe or restart the computer. |
Impact of workaround.Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.
Disable the
WebClient service
Disabling
the WebClient service helps protect affected systems from attempts to exploit
this vulnerability by blocking the most likely remote attack vector through the
Web Distributed Authoring and Versioning (WebDAV) client service. After
applying this workaround, it will still be possible for remote attackers who successfully
exploited this vulnerability to cause Microsoft Office Outlook to run programs
located on the targeted user's computer or the Local Area Network (LAN), but
users will be prompted for confirmation before opening arbitrary programs from
the Internet.
To disable
the WebClient Service, follow these steps:
|
1. |
Click Start,
click Run, type Services.msc and then click OK. |
|
2. |
Right-click
WebClient service and select Properties. |
|
3. |
Change the
Startup type to Disabled. If the service is running, click Stop. |
|
4. |
Click OK
and exit the management application. |
Impact of
workaround. When
the WebClient service is disabled, Web Distributed Authoring and Versioning
(WebDAV) requests are not transmitted. In addition, any services that
explicitly depend on the Web Client service will not start, and an error
message will be logged in the System log. For example, WebDAV shares will be
inaccessible from the client computer.
These were
the official Microsoft workarounds.
However,
there seems to exist also another solution: deploying a GPO that denies running the executable files from all but C
drive. This should solve the problem, however, it could be largely
uncomfortable (but safe) for users and is recommended only for experienced
administrators.
Thanks to Peter
Gramantik
Comments