Windows Shortcuts Icon Parsing Security Issue

Topic

New Reply

I’ve been reading up about the recently revealed Windows Shortcuts/Icon Parsing (.LNK Files) security vulnerability.
( http://www.infoworld…lnerability-114 )

In light of this security threat, Microsoft and several security vendors have recommended taking immediate actions. Among these advisories is this one from Sophos:

http://www.sophos.co…indows-systems/

I have several related questions about the advice in these advisories (including the one from Microsoft, with its pair of “Fixits”).

Quote #1:

For now, Microsoft advises that you disable icons for shortcuts. Unfortunately, this is highly impractical for most environments. While it would certainly solve the problem, it would also cause mass confusion among many users and might not be worth the support calls. Microsoft also suggests disabling the WebClient service that is used for WebDav. If you are not a Microsoft SharePoint customer this may be a solution, but many organizations rely on SharePoint so this is limiting as well.

But I do not want to get all of my System Icons and Shortcuts messed up or destroyed. So, is there any other, less drastic workaround which solves this issue but will leave me with better Windows Desktop functionality?

Quote #2:

Today, a colleague suggested the best mitigation I have heard so far: deploying a GPO disallowing the use of executable files that are not on the C: drive. This will work for most environments, and you really shouldn’t be running executables from USB drives and network shares anyway. We tested this solution against the vulnerability and it does in fact provide protection.

I have uncovered Microsoft’s on-line tool for converting various Group Policy Editor functions into their Registry Entries:

http://gps.cloudapp.net/

Does this (Sophos recommended) workaround cover the current .LNK vulnerability? Will it cause any undesirable side effects?

If this looks like a promising workaround, I would like to create the Group Policy to accomplish this. But I run Windows 7 Home Premium (64-bit), and we Home Users do not have the Group Policy Snap-In. So, gpe.msc and the Editor in the Control Panel (as well as other Administrator Controls) are not available to us. What can I do to put this one Group Policy into my laptop?

I have one Administrator-level user account, and one Standard User Account. If the Registry must be edited, I know how to create a .REG backup file and save it to a safe location.

If possible, I’d like to make two Registry Batch Files: one to implement this Group Policy, and the other to Undo the changes. I think these Batch Files can be written so as to be able to click or double-click on each one to run all the necessary operations, like a Windows Command File. I just don’t know exactly what to put into the batch files, and how to write them to do the Registry Editing automatically. I’ve seen such Registry batch files in the Windows Secrets newsletter from time to time.

Any clues or informed opinions would be much appreciated. Thanks in advance.

-- rc primak

Reply | Quote

Replies

This would not be a problem if people scanned things before opening them.
If you are concerned about this, disabling the webclient would be my choice. Least likely to wreck anything.

cheers, Paul

Reply | Quote

Note to others reading this thread: The purpose of disabling executables other than on your C drive is to prevent an LNK shortcut file traveling together with malware on a USB flash drive or other source other than the C drive from executing the malware. There is no guarantee that this will defeat the exploit if there is another way to get the malware into a known location on your computer.

Does this (Sophos recommended) workaround cover the current .LNK vulnerability? Will it cause any undesirable side effects?

If this looks like a promising workaround, I would like to create the Group Policy to accomplish this. But I run Windows 7 Home Premium (64-bit), and we Home Users do not have the Group Policy Snap-In. So, gpe.msc and the Editor in the Control Panel (as well as other Administrator Controls) are not available to us. What can I do to put this one Group Policy into my laptop?

I don’t see an exact analog to the workaround described in that first post on the Sophos blog[/url], but there is a later workaround post[/url] that suggests using Software Restriction Policies. This is documented by Microsoft here: Using Software Restriction Policies to Protect Against Unauthorized Software.

To add a local security policy, you can launch the policy editor using Start > Run, then:

Code:

secpol.msc /s

If you expand “Software Restriction Policies” and nothing is listed, right-click and choose Create New Policies. Under Additional Rules add a rule to allow executables to run from the C drive. I also added a specific rules for this dialog just in case:

If you have another hard drive partition containing executables, then you would want to add a rule or that as well.

Once your “allow” rules are set, you can disallow everything else:

This should make it impossible to execute files from, say, your USB flash drive.

After saving the policy, it should be added to the registry somewhere. Whether it would be easier to use a .reg file, I don’t know.

This would not be a problem if people scanned things before opening them.

I don’t think I could train users to scan every network drive before browsing it…

Reply | Quote

Not sure what’s wrong with the images in my post.

But I wanted to add: it’s possible to deliver this exploit in a ZIP file (EXE and LNK together), so users need to be extra cautious about those until Microsoft fixes this bug.

Reply | Quote

I tried to run “secpol.msc”, and the file was not found. This component is not present in Windows 7 Home Premium. We Home Version users do not have any security policy snap-in whatsoever. So I still need to know how (where) to edit the Registry manually to implement a comparable restriction on exe’s so they cannot execute from anywhere other than the C Drive in HOME editions of Windows which do not have any Security Policy Editor available.

It gets even worse. Windows 7 Home Premium does not support any form of Group Policies whatsoever. I guess the Sophos advice is totally unusable for Home Premium users. Let me know if anything is found which shows any direct Registry Edits which can accomplish the same results.

-- rc primak

Reply | Quote

We Home Version users do not have any security policy snap-in whatsoever. So I still need to know how (where) to edit the Registry manually to implement a comparable restriction on exe’s so they cannot execute from anywhere other than the C Drive in HOME editions of Windows which do not have any Security Policy Editor available.

Sorry to hear that. You could try the attached file (rename it .reg).

First, you should export what you have here: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSafer

I have several items there under CodeIdentifiers which I think pre-dated my experimentation. To avoid conflicts, I deleted those from the attached.

The effective line which excludes all other executable paths is under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers: DefaultLevel=0. To return to a permissive policy, change that to DefaultLevel=40000 hex or 262144 decimal

If you get stuck and can’t run any programs, what I have read is that you can either boot into Safe Mode to edit the settings, or log in as Administrator (not a user who has admin power, but actually as Administrator).

Does it work?

Reply | Quote

(Note to people following this thread: READ PAST THIS ENTRY. DO NOT USE THIS SUGGESTED WORKAROUND. IT DOES NOT WORK! Back to the original thread: )
@JScher —

Thanks much for such a simple RegEdit to disable executions from non-C-Drive locations, thus mitigating much of the .LNK and .PIF Security threat. For those of us who do not have a Group Policy Editor (GPE) (which means anyone whose Windows is any Home Edition), this is the only way I have found to mitigate the threat without wrecking Windows to the point where “the cure is worse than the disease”. Since I have a new, relative tweak-free installation of Windows 7 Home Premium, I have no “codeidentifier” entries, except the Default, which has no values whatsoever. This is the entry I will back up and then alter to the value you recommend to block non-C locations from executing. I will Edit this Post with my results.

See you on the other side!


Attached you will find two “Snippies” from Windows 7 RegEdit panes. (They should display in-line.) Regedit1 is the left-hand pane, showing the location where I edited. Regedit2 is the right-hand pane, showing the edited (current) values of this location. As I said above, I had only one entry in Safer, so there was nothing to delete. The Value had never been set, so the ” Default ” line Data originally read ” (no value set) ” . This makes me feel pretty confident I edited the right place and the right value. If I want to reverse this change when Microsoft patches the vulnerability, I can completely reverse this change by inserting a ” (no value set) ” value in this place. [/size][/color]

I have backed up all your instructions, your attachment, and my work and screen-shots to another (non-C) partition. Later, I will back up these items to a totally external location for safe-keeping.

Did I do what you told me to do correctly? And should this accomplish what we have set out to do in this thread? [/size][/color]

Post-reboot note: All seems to be well. Programs are executing from the C-Drive just fine. No exceptions noted so far.
[/b][/size][/color]

-- rc primak

Reply | Quote

There should be more entries…

Post-reboot note: All seems to be well. Programs are executing from the C-Drive just fine. No exceptions noted so far.

And are programs on CD, DVD, USB, external hard drive all blocked as expected?

Reply | Quote

There should be more entries…

And are programs on CD, DVD, USB, external hard drive all blocked as expected?

There was never more than the one entry at this location. Perhaps there are some hidden entries? Otherwise, what shows in the screen shots is all there ever was at that Registry location. As I say, Security Policies and Group Policies do not normally exist in Home Editions of Windows.

I don’t run programs from non-C locations, except if there are CD’s which have programs which are supposed to run from the CD directly. Would that include installers? Other than installation CD’s, I have nothing which is supposed to run from the CD/DVD Drive. I do have some Linux Live CD’s, but they run entirely outside of Windows. So I have nothing I know of which would test whether I am protected. Is there anything free (and safe) which I could download to a USB Drive for a test run?

-- rc primak

Reply | Quote

@JScher —

I respect you and have found your advice here in the Lounge very useful and usually accurate in the past, BUT … (the advice did not work).

I have a Flash Drive on which I placed a Conficker test group of files, which includes an Autorun and the MS Paint .exe file. The Autorun does not run in my Windows 7 (before or after modifications to the Registry), but the Registry modifications (if I did them correctly) do not seem to have any effect on the .exe on the Flash Drive — it still was able to run.

Post Edited to remove offensive content. I apologize.

Again, I mean no disrespect, but it is dangerous to play around in the Windows Registry unless you know exactly what to modify, and the correct values to place in there. (I am referring to my own lack of familiarity with the Windows Registry here.) If there are any documented Registry workarounds to Home Editions of Windows which lack Local Security Policies and Group Policies, anyone should feel free to post references to articles or instructions posted by people who know their way around inside the 64-bit Windows 7 Home Premium Registry. Otherwise, I will just sit back and wait for Microsoft (or someone else) to issue a realistic solution for the .LNK/.PIF security issue.

The present MS Fixit is totally unacceptable, as it renders the Windows User Interface crippled beyond use. So, we Home Edition users are once again left by Microsoft twisting in the breeze, while Business and Enterprise users get to protect themselves without wrecking Windows beyond use. Thanks, Microsoft! I feel safer already!

-- rc primak

Reply | Quote

I respect you and have found your advice here in the Lounge very useful and usually accurate in the past, BUT …


After playing around with Regedit in the Admin Account, I conclude that you know absolutely NOTHING about what you are talking about. You do not understand the Windows 7 Home Premium 64-bit Registry, and your suggestions have absolutely no effect whatsoever on the ability of .exe files to execute from my USB Flash Drives. So we are back to waiting for Microsoft to come up with a patch for this vulnerability. Please research your suggestions in the future, to avoid this kind of waste of time and effort, especially when recommending Registry Edits, which can have serious consequences if one does not know what one is doing in there.

Did you merge the complete file into your registry or did you just type in what you thought was appropriate? Rather than flame someone why not ask how he arrived at the file? There are several ways to capture registry changes.

Just because gpedit.msc or secpol.msc are not available in a home edition does not mean you can’t set policies. You can’t setup groups and push the policies as you can with Windows Server and the Pro & Enterprise version of Windows. All those tools end up doing are setting registry entries. You just don’t have those tools to help.

BTW, this is the first post in this thread where you mentioned 64-bit Windows.

Joe

--Joe

Reply | Quote

Did you merge the complete file into your registry or did you just type in what you thought was appropriate? Rather than flame someone why not ask how he arrived at the file? There are several ways to capture registry changes.

Just because gpedit.msc or secpol.msc are not available in a home edition does not mean you can’t set policies. You can’t setup groups and push the policies as you can with Windows Server and the Pro & Enterprise version of Windows. All those tools end up doing are setting registry entries. You just don’t have those tools to help.

BTW, this is the first post in this thread where you mentioned 64-bit Windows.

Joe

First, let me apologize for any impression I made earlier that I was flaming anyone. As I posted, I respect JScher and yourself, JoeP, and would never want to offend either one of you. I have edited my previous post to remove the offensive content.

Second, I was not aware that not mentioning that I run 64-bit Windows Home Premium could make a difference in the advice you folks may be able to provide. I apologize for any misunderstandings this may have caused.

I don’t understand the difference between “merging” Registry Keys, vs. creating or editing keys directly through Regedit. This fact alone means I should probably not be messing around with my Windows 7 Registry. I would be interested as a future reference in any information about how these methods differ, and when and how to use one or another. I would also be interested in any references or links to articles about how to create and modify Registry entries in Windows 7 Home Premium 64-bit, so as to achieve the same results which Professional and Ultimate users can get by creating and modifying Group Policies or Security Policies (also not available as a snap-in in Windows 7 Home Premium).

But in the immediate case of the .LNK/.PIF security hole, there has been an article posted at Infoworld News recently, which shows links to two security companies which have come out with protections against this vulnerability. The G-Data download seems to be looking at signatures or heuristics, whereas the Sophos Solution seems to be replacing the Windows Icon Handler completely with a more secure parser. These are the kind of workarounds I and most Windows home users have been looking for ever since news of this security issue first was reported in (among other places) Woody Leonhard’s AskWoody web site (and his Infoworld TechWatch article).

To me (and this is only my uninformed opinion) the Sophos solution looks the most promising, if it can later be uninstalled when Microsoft issues a patch. I think I will try installing this workaround and see if it breaks anything. Sophos should be a trustworthy company, as is G-Data.

Again, let me apologize for not showing the respect which all of you here at The Lounge deserve. I know I have complained when people have flamed me and called me out as not knowing what I am talking about, and I should show the same respect towards others that I want people to show towards me. I hope my references in this post will help people who are genuinely concerned about mitigating the .LNK/.PIF threat make a wise and effective choice among the various mitigation options now available until Microsoft issues a patch to cover this hole.

-- rc primak

Reply | Quote

There is no difference in merging new registry entries or creating the same entries yourself. People often assume that if an entry is missing in a merged .reg file it will be deleted in the registry if it exists. This is not true. Merging is definitely a merge and not necessarily the same as an edit. You need to be very careful there.

The reason I questioned your registry screen shot is that in your screen capture it does not appear that all the same entries are in your registry as are in the file posted.

The biggest difference in adding registry entries to a 64-bit version of Windows is that there is a node called Wow6432node under HKLMSoftware (HKey Local Machine). This node is for 32-bit software running on the 64-bit OS. You need to know whether the registry entries apply to 64-bit side only, the 32-bit side only, or both. In this case you’d think that because of the level at which the device interaction occurs with the OS that having the entries in the 64-bit only part would be fine. However, I can’t say that for sure.

If you believe that one of the third party approaches will work better that is fine. Go for it. I’d just backup/copy any files that will be modified and then restore them when Microsoft releases a patch but before applying the patch.

Joe

--Joe

Reply | Quote

Thanks, JoeP for your explanation. I was quite confused about all of this, and I am still a bit befuddled. But enough about the Windows Registry — now for the results of applying the Sophos fix.

The Sophos fix installed as a (x86) program under Windows 7 Home Premium 64-bit. It adds two .dll files, and removes nothing. Those two .dll files live within the Sophos program folder itself. When the fix is removed (It has an Add/Remove Programs listing and an Uninstaller.), the two.dll files, and any Registry entries pointing to them, will be removed, leaving Microsoft entirely to its own devices. What I like about this scheme (in addition to the fact that it is completely reversible) is that the fix takes over control of Shortcut Icon Handling completely, effectively replacing both the 32-bit and the 64-bit Windows Shortcut Icon Handlers. (The G-Data solution only checks for bad signatures, and this seems less effective to me.) This (Sophos fix) should eliminate the Microsoft vulnerability.

I noticed upon rebooting that a few desktop and Start Menu Icons were rendering as generic white icons, but I was able to substitute the real icons by using Properties>>Customize>>Change Icon and Browsing to the Programs or Programs (x86) locations for the target executables. In all cases, this gave me the correct icons on the desktop and in the Start menu. All Shortcuts are fully functional.

The Sophos fix will not prevent execution from non-C-drive locations, as it does not need to block such executions. The new .dll Handler files should offer the needed protections without impairing Windows functionality, except in a few cases where programs generate icons in unusual ways (as I have noted here).

To be clear, before applying any future Microsoft patch for this issue, I will definitely uninstall with (Glary Utilities) Absolute Uninstaller the entire Sophos fix.

Thanks to everyone who helped in this thread. I think the situation is now under pretty good control, and I have my security and my icons as well. All in all, a most successful operation!

Now I really do feel safer!

(BTW, JoeP, my original posting clearly stated that my Windows 7 Home Premium is 64-bit. The “(64-bit)” part got shoved to another line, but it was clearly there. Not that this is in any way an important point at this stage.)

-- rc primak

Reply | Quote

I should have made clear that I run Windows XP Pro, and I had no way to test the .reg file under other versions of Windows.

Apparently it did not import/merge successfully on Win7/64/Home for one reason or another (none of the crucial keys or values were added to the registry). Whether that is related to the XP/7 version or 32/64 bitness or Pro/Home flavor or permissions or something else we don’t know.

Some day I will have a chance to work with Windows 7 and learn more about using .reg files on that platform.

Reply | Quote

I should have made clear that I run Windows XP Pro, and I had no way to test the .reg file under other versions of Windows.

Apparently it did not import/merge successfully on Win7/64/Home for one reason or another (none of the crucial keys or values were added to the registry). Whether that is related to the XP/7 version or 32/64 bitness or Pro/Home flavor or permissions or something else we don’t know.

Some day I will have a chance to work with Windows 7 and learn more about using .reg files on that platform.

I’m not angry, and that “flame” earlier was actually an error on my part which rendered a whole paragraph in bold when I only wanted the last “BUT” in the previous paragraph to be in bold. But in any event, my words were far too harsh. We all may have much to learn about Windows 7, as this is still a relatively new Operating System.

What I was getting very worried about was that the Registry in my computer was looking nothing like the Registry in yours. I guess I could have reminded you that I just bought a new laptop. My old laptop is Windows XP Pro, and it has the Group Policies and Security Policies, so I can with effort make any changes recommended for that laptop. But my new Toshiba Satellite runs Windows 7 Home Premium 64-bit, and the 64-bit Windows Registry is a whole new animal. Lots of new complexities I can only now begin to appreciate. If editing a 32-bit Registry can be off-putting, the 64-bit Registry is truly daunting. Not a project I ever want to engage in unless shepherded by a true expert.

All that aside, the Sophos fix for this vulnerability is working out just fine so far, except that somehow my Toshiba got entered into a Homegroup. I hope leaving that Homegroup has not weakened any of the Sophos security protections. Anyway, nothing complained when my Standard User Account made that change. So I still feel safe for the time being. Remember, anything we can do to mitigate the threat is going to be only temporary, just until Microsoft finally patches the underlying issue(s). That should be within the next month or so.

Again, JScher and JoeP, thanks for your help, and here’s hoping we don’t get into this level of complexity again too soon.

-- rc primak

Reply | Quote

Microsoft to issue a malicious shortcut file fix » Windows Secrets Lounge.

Joe

--Joe

Reply | Quote

Microsoft to issue a malicious shortcut file fix » Windows Secrets Lounge.

Joe

Thanks, JoeP!

Even Woody Leonhard has advised people to apply the patch ASAP on all Windows systems. I will be doing so myself on both of my laptops. Be advised that if you have applied ANY interim fix or Fixit, remove ALL of these completely before applying the Microsoft patch. So far, no one seems to be screaming or tearing their hair out over any side effects from the patch, so go for it. Do it now! I’ll wait.

Update: Aug. 3, 2010 — I have applied the Microsoft patch to both of my laptops, and it seems to do no harm. So this exploit is now patched, and the whole issue of mitigation is moot.

If anyone has not yet upgraded Windows XP to SP3, I would be curious as to whether applying the Microsoft patch to Windows 2000 or Windows XP SP2 or earlier works, and if there are any issues or side-effects on these older Windows versions. I seem to have read somewhere that the patch can be downloaded as a stand-alone from someplace at Microsoft.

-- rc primak

Reply | Quote