windows 0 day flaw:(

[26Dolphins]

Sope,
The Sophos tool can easily be uninstalled through Add/ Remove Programs or any uninstaller of your choice. It might not be necessary thow, as it's an extra layer of protection/ prevention.

[Sope]

@26Dolphins

That Sophos demo video you linked, and the info regarding the uninstall were very helpful, thanks.

I'll probably give it a go, it'll be interesting to see if it causes any noticeable slowdown to the display of shortcut icons.

[J_L]

Quote:

Originally Posted by Concerned User

Sorry to double post!

Sophos is providing a free tool to that is supposed to protect against this risk. More details here:

http://www.sophos.com/security/topic/shortcut.html

Obviously, Microsoft does not like this




Link to full article:

http://www.computerworld.com/s/artic...ortcut_attacks

Thanks for sharing!

Edit:
http://www.h-online.com/security/new...e-1046183.html
GData's may be better.

[Anupam]

I have the MS fix for this installed on my system. Should I uninstall it and install the one from Sophos instead? Or, can I have both installed? . Anyone knows how is Sophos fix different from the MS fix? If there is a difference, why... and why is MS not employing that to fix the vulnerability.

[MidnightCowboy]

Quote:

Originally Posted by Anupam

I have the MS fix for this installed on my system. Should I uninstall it and install the one from Sophos instead? Or, can I have both installed? . Anyone knows how is Sophos fix different from the MS fix? If there is a difference, why... and why is MS not employing that to fix the vulnerability.

Can't help with this because I don't understand enough about how the malware process manipulates this Windows function.

I've noticed no impact in any way though since installing the Sophos solution, and out of all the vendors out there (famous last words) I trust these more than most. If this was from Comodo we'd probably all be looking at blue screens right now

[26Dolphins]

Hi,

Quote:

Originally Posted by MidnightCowboy

... If this was from Comodo we'd probably all be looking at blue screens right now

Now MC, why are you hurting Comodo's feelings?

On topic:
First off, thanks for the heads up on GData's Tool J.L.
Upon reading the article on h-online, I decided to do a little experiment trying out both tools - Anupam, I think this might shed some light to your first question.

With none of the tools installed and without doing the MS "fix", I have the following entries in my registry:
1. HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
2. HKEY_CLASSES_ROOT\piffile\shellex\IconHandler
Both of them have only (Default) with the value of {00021401-0000-0000-C000-000000000046}

When I installd either of the two tools, the entries for 2 (piffile) don't change, but the entries for 1 (lnkfile) do. Each of these tools makes its own handler the Default one and pushes the MS Windows one down as the OldIconHandler (name is not exactly the same, but that doesn't matter).
Uninstalling them reverses the entries to the original MS Windows ones.

@Anupam
Judging from this and given that the MS "fix" changes the value of the default entry, I'm not sure if keeping both won't mess up the handling of the .lnk files.

@Sope
About my previous statement that you may not need to uninstall it, I now think that when you apply the MS patch it'll overwrite these entries, I'm just not sure which ones it'll try to overwrite (probably the "Default" ones) and if that could lead to any messes.

As for the Tools themselves:
1. None of them protect .pif files which are covered by the MS "fix" - notice how both Sophos and GData emphasis on the .lnk files and say nth about the .pif ones; I wonder why as I've found out that they do play a rather important role and are often used for malicious actions.
2. GData's one requires a reboot, both for install and uninstall (but I didn't check if the registry changes take place only after the reboot), while the Sophos one doesn't (changes are in effect right away).
3. GData's Tool replaced all links considered unsafe with an ugly STOP sign icon - changed the icons of Local Connections, Internet Settings, Add/ Remove Programs and .txt files - didn't check the rest.
4. After uninstalling it, it had broken the default Windows icon for .txt files - had to reasign it through File Association.

So, for the time I'll stick with the Sophos one, even if it has a "flaw":

Quote:

What does the tool consider an exploit?
A Windows shortcut is deemed to contain the exploit if:
* it is a Control Panel shortcut,
* and it points to an existing file that can be opened for execution,
* and neither the shortcut nor the shortcut's target are on the computer's local disk.

I'm curious if one could make use of the MS "fix" regarding the .pif files protection with the other Tools without breaking the visuals of the OS.

[Anupam]

Thanks for this 26Dolphins. I think I will stick to the original MS fix, since it covers both lnk and pif.

[MidnightCowboy]

Quote:

Originally Posted by 26Dolphins

Hi,

Now MC, why are you hurting Comodo's feelings?

Sorry, didn't know they had any

[26Dolphins]

Hi,

Quote:

Originally Posted by MidnightCowboy

Sorry, didn't know they had any

They don't? Forgive my ignorance.

[Concerned User]

Update:

Microsoft will be releasing an "out of band" (emergency) update on Monday, August 2. Glad that they realize the importance of this flaw:

http://blogs.technet.com/b/msrc/arch...y-2286198.aspx

A much more detailed article:

http://www.theregister.co.uk/2010/07...crosoft_patch/