Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft To Issue Emergency Fix For Windows .LNK Flaw

Soulskill posted about 4 years ago | from the tee-plus-two-weeks dept.

Microsoft 112

Trailrunner7 writes "Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet malware. The advance notification from Microsoft on Friday said that the company is patching a critical vulnerability that is being actively exploited in the wild and affects all supported Windows platforms. The LNK flaw in the Windows shell was first identified earlier this month when researchers discovered the Stuxnet worm spreading from infected USB drives to PCs. Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer."

cancel ×

112 comments

Sorry! There are no comments related to the filter you selected.

o m g (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33094104)

first post @ 5h30.

Slow news day (0)

Anonymous Coward | about 4 years ago | (#33094122)

Microsoft has been suffering and fixing security holes for decades, not that interesting.

Re:Slow news day (1)

Dumnezeu (1673634) | about 4 years ago | (#33094200)

Microsoft has been suffering and fixing security holes for decades, not that interesting.

Remember the Blaster worm? This is its younger cousin.

Re:Slow news day (0)

Anonymous Coward | about 4 years ago | (#33094324)

Doubtful.

Re:Slow news day (1)

DAldredge (2353) | about 4 years ago | (#33095430)

Remember the Morris Worm?

Re:Slow news day (1)

symbolset (646467) | about 4 years ago | (#33097648)

Ah. *nix had, and fixed, network vulnerabilities long before there even was a Windows. Definitely before Windows even had networking.

We know this. What's confusing is how pointing this out serves your desire for advocacy.

Also curious is how this is an emergency. The patch blocks one hole in a colander. Couldn't that wait a week?

Too bad, it's a great conversion tool. (0)

Anonymous Coward | about 4 years ago | (#33094146)

Converting anyone who listened to this podcast [grc.com] from Windows to Linux, that is.

Re:Too bad, it's a great conversion tool. (1)

Nialin (570647) | about 4 years ago | (#33094188)

I would learn Linux, if I wasn't completely retarded in regards to any type of coding or computer language in general. (this is based on the limited demos from Linux friends)

Re:Too bad, it's a great conversion tool. (1)

Freultwah (739055) | about 4 years ago | (#33094228)

When did they last show it to you? It's not 1995 anymore. It can be used as a desktop OS without knowing how to code and it has been this way for quite some time now. There can be problems with it, but they can definitely not be reduced to the lack of coding abilities. For most people, it's more like "too many varieties to choose from" and that applies to distributions, desktop environments and software.

Re:Too bad, it's a great conversion tool. (2, Insightful)

poptones (653660) | about 4 years ago | (#33094232)

My GF uses ubuntu now and she's never touched linux before about a month ago. The only thing to "learn" is to lose the bad habits you pick up from a lifetime of windows use. Just back up your music, movies and emails and reload with ubuntu. Dual booting is poison because you will inevitably boot into windows more and more often because it is familiar and "easy." Just wipe out windows, reload the machine from the ground up with linux, use it for a month and you'll never go back. If you want to play games, buy a 360...

Re:Too bad, it's a great conversion tool. (0)

Anonymous Coward | about 4 years ago | (#33094244)

you'll never go back

I hear you. Those damn Linux boot loaders can be hard to get rid of.

Re:Too bad, it's a great conversion tool. (2, Insightful)

RulerOf (975607) | about 4 years ago | (#33094406)

I hear you. Those damn Linux boot loaders can be hard to get rid of.

Indeed. I've been using SYSLINUX and COM32 for some time now and I love them to pieces. They make NTLDR, and, to a lesser extent, the Windows Boot Manager, look like kids' toys.

Re:Too bad, it's a great conversion tool. (1)

Servaas (1050156) | about 4 years ago | (#33094456)

I hear you. Those damn Linux boot loaders can be hard to get rid of.

Indeed. I've been using SYSLINUX and COM32 for some time now and I love them to pieces. They make NTLDR, and, to a lesser extent, the Windows Boot Manager, look like kids' toys.

The what now? Someone needs to tell Linux that the age of the 1-click iPad has begun. There is a reason for its success. Usability is one of them. Linux is good for being l33t though.

Re:Too bad, it's a great conversion tool. (2, Funny)

RulerOf (975607) | about 4 years ago | (#33094556)

...SYSLINUX....COM32...NTLDR... Windows Boot Manager...

The what now? ...the age of the 1-click iPad has begun. There is a reason for its success...

My Lawn! You BASTARD!

The 1 click wonder? (2, Funny)

poptones (653660) | about 4 years ago | (#33094726)

An ipad? ROTFL. Let's see you develop SOFTWARE for that ipad... on your ipad.

Apple users need to learn to speak without steve's hand up their anus...

Re:The 1 click wonder? (1)

Jesus_666 (702802) | about 4 years ago | (#33094842)

You mean Apple fanboys. I own a Mac and I don't see the iPad as revolutionary, merely a previously-unexplored market niche. No, it doesn't fill the Tablet PC niche; those are essentially graphics tablets with built-in notebooks while the iPad is a scaled-up PDA. Of course it's never going to displace real PCs.

Re:The 1 click wonder? (1)

RulerOf (975607) | about 4 years ago | (#33095180)

No, it doesn't fill the Tablet PC niche;

Ain't that the truth.

I've got a Viliv S5, [myviliv.com] and for what I bought it for (portable MKV/h264 playback and general nerdiness), it function[ed] well (I add the past tense because there's an issue with the Windows 7 wifi driver for it that makes it damn near impossible to stream anything). I have though for the most part stopped using it in favor of AirVideo on my iPhone. Mostly because the phone fits in my pocket. While I find myself watching a TV show or something in bed and think "Hrmmz this would look better on an iPad," I can't really justify buying one because I know I'd never use the damned thing. Hell, my boss has bought half a dozen iPads and I'm not sure that more than one or two of them get any kind of regular use... he's a bit of a fanboy. I digress.

What I'd really like to see is a tablet--any tablet--that runs any OS, be it Windows, [Insert favorite flavor here] Linux, iOS, OS X, even Windows CE or Windows Phone 7, that will act as a Windows Media Center Extender. There aren't any software MCE's currently available (other than in the bowels of Microsoft), but if I could have that experience on a tablet, when I'm away from home I can use the thing for what-the-hell-ever I please, but when I am home I can watch my entire media collection and live TV and DVR all on a single, wireless device. That would be worth $500. My guess is that Ballmer doesn't care though.

[rant]
Hrm, while I'm talking about shit that won't exist in a relavant time frame, I'll say again: Perhaps we can have ISP's that solve the bandwidth problem by capping bandwidth instead of capping transfer. I love being considered as the poster boy for the problem in spite of the fact that I download shit at one fifth of my pipe's speed... in the middle of the night. Really fucking it up for everyone else, I am.
[/rant]

Re:The 1 click wonder? (0)

Anonymous Coward | about 4 years ago | (#33095868)

Can't you just use a media player that properly buffers files on networked storage? The KMPlayer and I think VLC can do this. I don't understand why you need some "Media Player Extender". Just a tablet or netbook with wifi, a share on the PC or storage device with the media and you should be set.

Re:The 1 click wonder? (1)

RulerOf (975607) | about 4 years ago | (#33095964)

There's a bunch of reasons. First and foremost really is the sharing of TV tuners and centralized configuration brought by extending WMC rather than replicating it. Second, extenders do all the heavy lifting on the back end via DXVA and whatnot, which would mean better battery life. Also, it'll optimize any video source, no matter what it is, to run over that network connection.

It's neat stuff, but it's really waiting for a breakout to the mainstream. Windows 7 has made it vastly more powerful, but it'll be a couple more years (or Windows versions) before the average folks start digging into it... though perhaps those people will be more interested in Hulu Plus or whatever at that point :P

Re:The 1 click wonder? (0)

Anonymous Coward | about 4 years ago | (#33096792)

That makes sense then. I wasn't aware that by streaming you meant that the Media Center PC was doing all of the video decoding and sending raw video ala PC Anywhere. I was thinking "Youtube streaming video".

Still, you might look into something based on Nvidia's Tegra. From what I've seen, it's really good with video decoding (h.264 at least) and even has good battery life while doing that. Maybe something like this [pocket-lint.com] or this [slashgear.com] .

Re:The 1 click wonder? (1)

h4rr4r (612664) | about 4 years ago | (#33095940)

How about not using Windows media center?
Better more interoperable solutions exist. Heck you could even use vlc on your current setup and stream to whatever device you wanted so long as it can handle normal video streams.

Re:The 1 click wonder? (0, Flamebait)

RulerOf (975607) | about 4 years ago | (#33096042)

Heck you could even use vlc

There's a small problem centered on VLC really, really, really, extra-super-holy-fuck-it's-a-pile-of-shit sucking. Sure it "plays everything," but until they drop FFMpeg on Windows and embrace directshow or Media Foundation (and by extension, DXVA) it's going to continue to be a heaping pile of shit until the end of time. Not to mention the shitty interface. I've never gotten optical output to work correctly on it, it eats CPU, and it wasn't until just over a year ago that you could even change the volume with the mouse wheel.

Don't get me wrong, it always works, and that's important, but it lacks the polish that just about everything else including other FOSS projects like MPC-HC have had for a VERY long time.

And why Windows Media Center and not MythTV? Three reasons: DXVA, Media Center Extenders (XBox 360's are cheaper and more compact than any computer that would fit the bill, and they have a nice remote), and CableCARD support. There's no other platform that offers that set of features. Also, it's really, really slick :P

Re:The 1 click wonder? (1)

AnEducatedNegro (1372687) | about 4 years ago | (#33096272)

XBox 360's are cheaper and more compact than any computer that would fit the bill, and they have a nice remote

You're welcome [google.com] .

Re:The 1 click wonder? (1)

RulerOf (975607) | about 4 years ago | (#33096850)

Very nice, but in the absence of a software WMC extender, it's still lacking a game breaking feature :(

Re:Too bad, it's a great conversion tool. (2, Interesting)

rduke15 (721841) | about 4 years ago | (#33094314)

VirtualBox is great. I agree that dual boot is a pain, but no access to Windows at all is a pain too. I have an XP VM in VirtualBox (in Ubuntu), so I can use the few Windows-only programs I occasionally need without any trouble.

Re:Too bad, it's a great conversion tool. (0)

Anonymous Coward | about 4 years ago | (#33094820)

no access to Windows at all is a pain too. I have an XP VM in VirtualBox (in Ubuntu), so I can use the few Windows-only programs I occasionally need

So have I. But on my list of painful times, these rank among the top.

"Oh, no primary selection... Hm, no single-click menus, either. Oh yeah, also no horizontal/vertical maximize. Hm, no system-controlled full-screen. Damn, no Super-LMB/Super-RMB to drag/resize. Aaand no discrete workspaces. Where's my guake with zsh? Ok, anyway, let's just do this thing. Alright... keyboard, mouse, keyboard, mouse, keyboard, mouse. WTF, how did I ever use this thing?"

Re:Too bad, it's a great conversion tool. (0)

Anonymous Coward | about 4 years ago | (#33094460)

That is ridiculous. Why should I spend more money to do something that my computer is already capable of doing right now? Right now, at this very moment I can use my computer to email, chat, browse the web, write documents, keep notes, create images, retouch photos, play audio/video, edit audio/video and play games. I should also mention that for any of the aforementioned, I have a choice of multiple software solutions ranging from limited/broken free stuff to decent mid level shareware to professional quality commercial software to choose from. Things like Illustrator CS5, Photoshop CS5, CorelDRAW X5, MS Office 2010, Ableton Live, Premiere CS5, Avid Media Composer, Pro Tools, FL Studio and StarCraft 2 can't be used on a Linux box or a game console. I can also buy and immediately use any computer peripheral available from any computer store without worries or workarounds. It just works.

Windows was a buggy graphical shell for DOS once upon a time, but it's come a long way since then. I have honestly had very few problems with any version of Windows since the release of Windows XP, including Vista. I'd list versions of NT even further back if you count only stability as important. Windows is my "do all" OS because I can do anything under Windows that could be done under any other desktop OS, but the reverse cannot be said. I'm also at an age now where I don't really care about youthful and/or irrelevant ideals regarding which OS I use. If a Linux OS one day surpasses Windows in hardware support, company support and available software, I'll switch. Until then, I'm going to continue to use what actually works for getting things done. Right now, that's Windows.

getting things done (1)

poptones (653660) | about 4 years ago | (#33094746)

Black hats everywhere would like to thank you for aiding them in their quest to own the internet...

Re:getting things done (0)

Anonymous Coward | about 4 years ago | (#33094774)

Except for the fact that I've never had a Windows box that got compromised or infected with any kind of virus, trojan or malware. Most "vulnerabilities" in Windows are user initiated. Practice a little common sense (ie. don't run things that come from questionable or unknown sources) and you are unlikely to ever see a problem.

In addition, if you think that a Linux OS is impervious to attack by hackers, then you are naive. The main reason Windows gets attacked more is because it's a much larger and more worthwhile target. The instant any Linux OS pulls ahead, I guarantee that you'll start seeing tons of vulnerabilities for it popping up everywhere.

Re:getting things done (2, Informative)

basscomm (122302) | about 4 years ago | (#33094954)

Except for the fact that I've never had a Windows box that got compromised or infected with any kind of virus, trojan or malware. Most "vulnerabilities" in Windows are user initiated. Practice a little common sense (ie. don't run things that come from questionable or unknown sources) and you are unlikely to ever see a problem.

Baloney. Let me guess, you don't have any antivirus installed either, because you don't need it? Either you haven't been using Windows for very long or your only Windows box is turned off in the corner. Back in the 90s I got a disk from my school that was infected with Stoned [wikipedia.org] , and a few years later bought a CD-ROM game that came with Michelangelo [wikipedia.org] on the disc itself. Even more recently, hardware from (more or less) reputable sources come preloaded [slashdot.org] with [sunbeltsoftware.com] malware [sophos.com] . Heck, part of my job is removing malware from PCs on a near-daily basis, and even though I know better, my USB key got hit by the Autorun worm [techknowl.com] last Summer. So yeah, common sense and safe browsing habits are wonderful things, but they're not a panacea. There are so many attacks coming from so many vectors, that if you use a Windows box you will get some kind of infection eventually.

Re:getting things done (0)

Anonymous Coward | about 4 years ago | (#33095072)

Of course I use antivirus and have done so for decades. I also use spyware scanners and run behind two firewalls. When it comes to my PC, I've always exercised extreme caution in regards to computer viruses, trojans and vulnerabilities. It's better to be safe than sorry.

I have had PCs since 1982 and have connected to everything from bulletin board systems of old on a 300 baud modem to our modern internet without issue. I've found viruses and trojans on systems before, but never got infected because I caught them before they were executed. Actually, there was even a time that I purposely collected viruses and distributed them, with full documentation/descriptions of what they were, via my own "elite" BBS. Stoned and Michelangelo? Check. Had those and about two hundred more available for download. Still, never had a problem.

I really don't care if you don't believe me. Your ignorance doesn't change the fact that I've never had a compromised or infected Windows box. Perhaps you are simply more careless about these things than you think.

Re:getting things done (0)

Anonymous Coward | about 4 years ago | (#33096224)

I agree. My home machines have never gotten a virus, and I use them probably 80-85 hours a week. My office machine, however, has been infected twice, and I caught it both times myself, as they were 0-day exploits. Anti-virus at work has not caught anything other than slowing my already slower than crap work PC down even more.

Re:getting things done (-1, Flamebait)

Anonymous Coward | about 4 years ago | (#33095800)

You fucking Windows Trolls are all the same. On one hand you've been telling us (for many years) that there's nothing poor Microsoft can do because they're a "popular target" and "all software has bugs." Yet at the same time you tell us that Windows has improved by such an amazing amount. Microsoft's OSes haven't really changed much in popularity.

So the target's surface area (in terms of popularity) hasn't changed in a significant way but somehow the OS became better? Could it be that popularity isn't the ONLY factor in weather an OS is secure? Could it be that an OS can be relatively secure even though it's popular? You fan boys sure have been telling us that Windows has become secure.

Sure, a system's popularity may mean more attacks from the shadows. That doesn't mean the attacks have to be successful. Similarly, just because a system is attacked infrequently doesn't mean that it will fail should the attacks become more frequent.

Software isn't secure by accident. You have to design for it. Windows didn't become less popular, it became better designed. Tell me Linux has poorly designed security mechanisms and you might interest me more. This popularity metric you insist on using is not much more than F.U.D.

Re:getting things done (0)

Anonymous Coward | about 4 years ago | (#33096280)

Windows is more secure now than ever before, but at the same time the userbase has also grown. Back when Windows 95 came out, far fewer people had computers. These days, you'd be hard pressed to find a household that doesn't have one. Just because the percentages look the same doesn't mean the numbers are the same.

Overall, Windows is much better now than it used to be. You'd have to be blind not to see that. Also keep in mind that software can improve in many ways, not just one.

Linux's primary security mechanism is not running unnecessary task, not opening ports unnecessarily and not running with admin privileges by default. These are all things that Windows has gotten better with, but ultimately the most dangerous part of the equation is the user. Give an average user a Linux box and the first time he/she comes across something that needs admin privileges, they are going to want to run with those privileges all of the time, thereby opening up a gaping security hole. The same is currently true in Windows.

So far the success rate of this Stuxnet worm has been extremely low and the majority of the attack attempts have been isolated to areas where people were downloading illicit and questionable material to begin with. Was it too much for you to actually read about it before posting? You'd also do well to present a real argument instead of blindly screaming "FUD" at everything that you don't understand or agree with.

Re:Too bad, it's a great conversion tool. (0)

Anonymous Coward | about 4 years ago | (#33095442)

You're too reasonable. We don't want you here.

Re:Too bad, it's a great conversion tool. (2, Insightful)

orangeplanet64 (1381421) | about 4 years ago | (#33094492)

If you want to play games, buy a 360...

i want to play starcraft 2 you insensitive clod..

Re:Too bad, it's a great conversion tool. (0)

Anonymous Coward | about 4 years ago | (#33094544)

If you want to play games, buy a 360...

i want to play starcraft 2 you insensitive clod..

Allow me to reply for the freetards:

It is far more important to support free software and advance the cause of free software than to play a closed source game that shackles us with DRM and a closed source operating system. Besides, Starcraft is too hard and I'd get my ass kicked since it isn't anything like Tux Racer and I don't have the fine motor control or reflexes required to approach the APM of even a casual player of non-free games.

Re:Too bad, it's a great conversion tool. (1)

KiloByte (825081) | about 4 years ago | (#33094786)

All the reports on WineHQ say it works just fine.

Re:Too bad, it's a great conversion tool. (0)

Anonymous Coward | about 4 years ago | (#33094864)

You mean aside from all of the graphical glitches, performance issues and configuration needed just to get it working in the first place. If you also look at all of the entries it seems that nobody actually tested multiplayer or all of the missions.

Yeah, no thanks.

Re:Too bad, it's a great conversion tool. (0)

Anonymous Coward | about 4 years ago | (#33094928)

What works
Everything I tested which includes Single player gameplay, audio output, Cinamatics, multiplayer, Custom maps.

Re:Too bad, it's a great conversion tool. (0)

Anonymous Coward | about 4 years ago | (#33095538)

- Can't launch game from StarCraft II.exe
- I'm getting that ACCESS_VIOLATION error, applied to an apparently random memory location.
- DirectX / Graphics card error (Nvidia)
- DirectX hang up
- FIX? : Problem Installing from Disc
on Single player when i get into Hyperion Bridge, and select a "planet" for a mission the game close.
- Can't launch installer 2
- Graphical Bug
- Weird Graphical Issue at Login
- Can't launch installer.
-Still no sound
- Slow FPS
- Not working after install

Yeah, seems to be working just fine. According to usual Linux expectations, that is.

Re:Too bad, it's a great conversion tool. (2, Insightful)

Jesus_666 (702802) | about 4 years ago | (#33094546)

If you want to play games, buy a 360...

How do you install System Shock 2 on an X-Box 360? There are games that aren't supported by $CONSOLE but that people still want to play.

If you want to do dualbooting right, just move all of your data to one of the Linux partitions and erase them from the Windows partition. Then uninstall the corresponding programs. Once you're unable to check your mail/chat/etc. in Windows you'll have a much smaller incentive to stay ther for longer than neccessary.

Re:Too bad, it's a great conversion tool. (1)

dnaumov (453672) | about 4 years ago | (#33094566)

If you want to play games, buy a 360...

Do you want to sponsor me a 360 and a HDTV? No?

Re:Too bad, it's a great conversion tool. (1)

Anarki2004 (1652007) | about 4 years ago | (#33094926)

If you want to play games, buy a 360...

For those of us who don't have money, a 360 is rather expensive. I payed $20 for an NVIDIA GeForce 210 after the $30 rebate. That has 512 megs of DDR2 memory and some other pretty snazzy specs for the money. That opened up quite a few games for me. I've even managed to run Crysis (not at full spec, but it was smooth). An xbox is quite a bit more expensive than an upgrade.

If they listened to Gibson,Blaster wouldn't happen (0)

Ilgaz (86384) | about 4 years ago | (#33094570)

I remember everyone laughing at GRC.com for alerting about port 135 being wide open to net. While it can be blamed on his kind of language (nano somethings etc.) to blame, nobody listened to him and Blaster happened.
Funny thing is, even a non computer geek can be convinced that autorunning programs in this age is a bad thing in 10 seconds and yet MS doesn't disable it.
You know one of the most dangerous and destructive viruses on MacOS (not OS X) is actually named "autorun"? So, the vendor (Apple) did what? Released "hotfixes", called Verisign? They simply disabled the functionality all together and added a kinda undocumented bit to removable media HFS to "display contents in finder whenever it is inserted" (still works in OS X). So, user could double click thing saying "double click me to install". There, problem fixed. No harm done. MacOS software industry didn't collapse, people didn't look to their newly purchased devices without clue...

Re:Too bad, it's a great conversion tool. (0)

Anonymous Coward | about 4 years ago | (#33095374)

I'm gonna pretend this is 2002 and this is the first time I hear people are "converting" to Linux because of a security flaw in Windows.

Friday sysadmin appreciation day, (5, Funny)

Major Downtime (1840554) | about 4 years ago | (#33094180)

Re:Friday sysadmin appreciation day, (0)

Anonymous Coward | about 4 years ago | (#33094186)

And your point is?

Emergency ? (0)

Anonymous Coward | about 4 years ago | (#33094192)

Microsoft To Issue Emergency Fix For Windows .LNK Flaw

LNK flaw that attackers have been exploiting for several weeks now

Umm... maybe my notion of emergency is outdated? Though, I certainly wouldn't like to call 911 and get help several weeks later.

and this is why device revocation (1)

chronoss2010 (1825454) | about 4 years ago | (#33094238)

IS RETARDED

Realtek certificate (4, Interesting)

John Saffran (1763678) | about 4 years ago | (#33094242)

The most interesting aspect of this rootkit was the use of the Realtek private key to sign the drivers. According to Kapersky [threatpost.com] :

Microsoft malware researchers said on Friday that they had been working with VeriSign to revoke the Realtek certificate, a process that Realtek officials signed off on. The certificate in question actually expired in June. Microsoft oficials also said that they expect other attackers to begin using the techniques utilized by Stuxnet.

In hindsight the vendor certificate is a weakness in the entire process simply because access to the signing key bypasses the controls in place. Hardware vendors aren't likely to be as concious, at least until this incident, of the need to maintain proper security around their singing keys, nor are there requirements enforcing such security. In comparison keys used for financial transactions are generally held in HSMs with strong access controls around them to prevent the revealing of the private key. This particular rootkit was specifically confined to SCADA so the impact was always going to be small, but the malware could've easily been targetted to attack general windows installs .. who knows how much damage it could've caused then?

Luckily this specific certificate was going to expire soon so there was probably less resistance from the vendor in revoking it than there might've been, but if such revokation was going to invalidate significant numbers of drivers then that would've posed the problem of either leaving the certificate valid to be used for other types of malware or revoking it and invalidating however many drivers had already been signed by that key. Unfortunately it's not very likely that hardware manufacturers will ever submit to using HSM-type devices or the processes necessary to ensure key secrecy, so it looks like this will just have to be yet another potential attack vector that's caused by vendor negligence.

Re:Realtek certificate (1)

Calydor (739835) | about 4 years ago | (#33094396)

Hardware vendors aren't likely to be as concious(sic), at least until this incident, of the need to maintain proper security around their singing keys

Damn those karaoke bars streaming live to the net!

Re:Realtek certificate (1)

icebraining (1313345) | about 4 years ago | (#33094422)

Can't Microsoft remove the certificate from Windows through a patch? Then they could say "secure your signing certs or we'll delete your certs from Windows and you'll have a shitstorm of angry clients who can't use your drivers to deal with".

and hten any device needing that driver (1)

chronoss2010 (1825454) | about 4 years ago | (#33094618)

any device needing that driver would stop working and would not work again until the manufacturer got it working. IF your important data for your business was on a USB stick then you'd not have access to it unless you have an unpatched OS or linux boot cdr to pull the data off. so again this is why device revocation and signing of drivers is dangerous as the poster above said.

Re:and hten any device needing that driver (1)

icebraining (1313345) | about 4 years ago | (#33096154)

Yes, the drivers would stop working, which would bring the shitstorm against the HW manufacturer. That was my point.

But according to your "sibling" post Windows HW certs don't work like that, so there's nothing Microsoft can do.

Re:and hten any device needing that driver (1)

Korin43 (881732) | about 4 years ago | (#33097154)

I suspect it wouldn't work that way anyway. More likely, Microsoft would revoke the certificate, and then everyone would blame them because "My computer doesn't work". Seriously, think of normal people having this problem.

Re:Realtek certificate (0)

vadim_t (324782) | about 4 years ago | (#33094852)

Certificates don't work like that.

Micorosft runs a Certificate Authority. This has a public and private key. The public key is part of a Windows install. They use the private key is kept safely somewhere at MS, and used to sign certificates for other companies like Realtek.

Then at install time, there is a check: this driver is signed by the Realtek key, which itself is signed by the Microsoft key. Therefore it's trusted, and it's okay to install.

For revocation, MS will public a revocation list somewhere, which the installer hopefully fetches before giving the go ahead, to make sure Micorosft hasn't changed their mind on that signature.

Re:Realtek certificate (1)

icebraining (1313345) | about 4 years ago | (#33096124)

Right, I was thinking about something closer to browsers, which include a large list of CA Certs, but you can remove on of them and then all the certs signed by that CA would not be trusted.

I thought Windows included a large number of HW manufacturers' certs, not a single "Microsoft cert" with which HW certs were signed against.

Re:Realtek certificate (2, Insightful)

sjames (1099) | about 4 years ago | (#33097036)

Fine then, the question is why doesn't MS REVOKE the Realtek cert?

The USEFUL answer is that they did.

Re:Realtek certificate (1)

TheLink (130905) | about 4 years ago | (#33094858)

The part I'm wondering about is are those Realtek signed components actually Realtek components?

e.g. Did Realtek screw up on the cert handling or the components were actually made by realtek but were flexible enough to be abused by hackers?

Re:Realtek certificate (1)

gad_zuki! (70830) | about 4 years ago | (#33096814)

Its incredible that MS doesnt force a UAC check on signed drivers install. That's really the fix, not this patch. These companies will never be able to properly secure their keys. Its time we started admitting that the trust in signed code is forever broken.

Michelangelo wrote to your MBR (0)

Anonymous Coward | about 4 years ago | (#33094264)

What's that Ring -1? Shit, this is terrible, but so is allowing anything that can house it's own driver signature file to be inserted into a SCADA system in the first place. Hell even the army gets this one right. You can buy the answer at any drugstore. [dickblick.com] And vendors, the nature of USB is such that we NEED to have secure interfaces (or at least dumb ones) like PS2 on our motherboards still.

Is copy-and-pasting"writing"? (4, Insightful)

Two99Point80 (542678) | about 4 years ago | (#33094274)

This is just a copy (minus links) of the article at Threatpost. How about at least crediting the source?

what is this .lnk flaw anyway? (4, Funny)

rduke15 (721841) | about 4 years ago | (#33094282)

I still haven't understood what this .lnk flaw actually is, or what fun things it might be used for (and how).

The previous discussion about this talked about SCADA systems, so I read the wikipedia article about SCADA but still don't quite get what it really is. And the vulnerability seemed to only be exploited on one particularly stupid system which used a hard-coded password.

And it seemed to also require the use of Autorun/Autoplay which should obviously be disabled anyway. I have 2 files to take care of that on all my USB drives:

Autorun.inf:

[AutoRun]
open=autorun.cmd
shell\open\Command=autorun.cmd
shell\explore\Command=autorun.cmd

And autorun.cmd:

@ECHO OFF
ECHO ALERT: You have autorun enabled on this drive (%~d0)!
ECHO.
ECHO Trying to disable it:
@ECHO ON

REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun" /ve /t REG_DWORD /d 255 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /d "@SYS:Autorun-Disabled" /f

@ECHO OFF
ECHO.
ECHO You may need to reboot.
ECHO.
@pause

Re:what is this .lnk flaw anyway? (0)

Anonymous Coward | about 4 years ago | (#33094490)

Not bad. Although the side effect of turning off autorun on any machine in which the USB device is inserted might not be desirable (e.g., if it's someone else's machine). Also, if a worm blindly writes it's own autorun.inf file, then your modified one will get overwritten. Make sure you at least write-protect the file.

My strategy is simpler. Besides having autorun correctly disabled [us-cert.gov] on all the machines I own, I have a read-only directory that's called "autorun.inf" with a readme.txt file in it on any external device. Any worm that attempts to write over it would have to figure out that it's a directory and delete it and the files within it first. From testing on infected machines, none of them have been that smart (yet).

I still like your idea that actively purges the scourge of autorun from each machine.

Re:what is this .lnk flaw anyway? (1)

rduke15 (721841) | about 4 years ago | (#33095888)

the side effect of turning off autorun [...] might not be desirable (e.g., if it's someone else's machine)

For me, it is the desired side-effect, because these people will usually call me for help when they get a virus. I do tell them that I disabled it though, and try to explain why if they seem willing to listen.

Also, if a worm blindly writes it's own autorun.inf file, then your modified one will get overwritten. Make sure you at least write-protect the file.

The files do have the read-only attribute.

One of my 2 reg entries is actually what is recommended in your link.

What I don't know yet is if it works on Win7 or if something else is needed. I'm not so much into fixing Windows any more, since I switched to Ubuntu. There's enough to do to try to fix/customize that now ... :-)

Re:what is this .lnk flaw anyway? (0)

Anonymous Coward | about 4 years ago | (#33094500)

Note: On XP you need to install a bugfix before the registry settings actually do what they where supposed to do.
(I'm not sure if this is already included in SP3)

It is MS to do it (1)

Ilgaz (86384) | about 4 years ago | (#33094518)

Your fix doesn't matter as 99% of people out there will wonder around with autorun enabled.

MS have to copy Apple's way of doing things. How long it took for Apple to fix the "startup items" flaw? They changed the scheme of doing things, did couple of permission tricks and prompted user with a complete non nerd window saying "Wrong permissions in Startup Items" like thing, with 2 options "fix" "don't fix", "fix" selected by default.

Or, they figured Input Manager functionality which allows running from user's own "Input managers" directory (in $HOME) is flawed, about to get expolited. In next OS X, they made it ignore the Input Managers in Users home dir and allowed only Admin installed input managers. Didn't it create problem on a OS which is advertised as "it just works"? of course it did but it saved a lot of users who otherwise wouldn't have clue how powerful Input Managers can be.

What MS have to do is, tell big vendors of boxed software/drivers/devices "this is it folks, talk to your DTP department to add instructions of installing your software to the box, we are disabling autorun by default". They can also add Windows 95 "install applications/drivers" control panel to a easy to reach place. E.g. right under their precious "Internet: Internet Explorer" start menu item :)

Hotfixes, AV software, reg hacks won't cut it.

Re:what is this .lnk flaw anyway? (1, Interesting)

alexhs (877055) | about 4 years ago | (#33094528)

From what I've understood, it is a buffer overflow in the way .lnk are handled that has been exploited.

It doesn't require autorun, just the reading of the .lnk (which happens when you're displaying the .lnk in the explorer)

The flaw has been discovered from Stuxnet, a virus that happens to target specific systems, but is in no way limited to these systems.

By the way, does anyone know if it is possible to put a noexec on USB keys like you can on unices ? Although it wouldn't help about this flaw, it is usually better practice (as long as you're not using portable apps).

Re:what is this .lnk flaw anyway? (1, Informative)

Anonymous Coward | about 4 years ago | (#33094634)

Please mod this down, the bug in the lnk handling does in no way require autorun, just browsing the folder will do. This btw also works with webdav shares (have fun ie users).

Re:what is this .lnk flaw anyway? (1, Informative)

Anonymous Coward | about 4 years ago | (#33095242)

I still haven't understood what this .lnk flaw actually is,
...
And it seemed to also require the use of Autorun/Autoplay.

Than please do not comment upon it that way. And no, it does not need Autorun/Autoplay.

Just getting the shortcut displayed in your file-browser window is enough to trigger the "exploit". And as most installations are "helpfull" enough to open the root-folder of the removable media you put into the machine that "looking at" is fully automated.

Even if not, simply clicking on the USB-sticks icon in the file-browser will open that root-folder for you and it happens anyway. Other sub-folders can be infected the same way.

The crux of the matter is that when the shortcut references a specific target that target gets activated to be able to get a specific icon from it (which the shortcut than displays).

This is designed behaviour (one of the many "by design" blunders MS has made).

The only work that needs to be done is to edit the target stored in the shortcut to point to another target (the malicious program) located on the removable/remote/anywhere else media. Even a script-kiddie can do that it.

P.s.
I removed some too-specific information, as MS did not yet make the patch available ...

Re:what is this .lnk flaw anyway? (0)

Anonymous Coward | about 4 years ago | (#33097700)

Ok, here's the deal (since I work in a company that has an active utility SCADA network, and our IT staff went bonkers)

Some people figured out that there is a bug not in AutoRun, but in the Control Panel Library that actually draws icons for LNKs. Just plugging in the device to a Windows machine then opening Explorer will make Windows crawl through all of the executables on the root folder, and Explorer will try to draw the correct icon for each LNK file... throw in a specifically badly formed icon, and Windows will crash simply viewing the files in the folder. Or in the case of Stuxnet, be made to execute malicious code that (in a fraction of a second) installs a rootkit and masks its presence on the USB drive.

What made this doubly dangerous was this was discovered packaged on a USB device that had a payload attached to it to take advantage of the Explorer crash... the payload contained a specific attack against a Siemens SCADA library (attacking a system account with a hard-coded password, bad Siemens!). SCADA describes a protocol for "supervisory control and data acquisition", it's the protocol by which large-scale industries remotely control assets... for example, from a local control center, a electric utility company could remotely open circuit breakers, potentially cutting whole towns off from the transmission network. SCADA gives utilities to manage geographically disperse assets in near real-time, and it's essential to manage the complexity of our country's infrastructure. SCADA is usually implemented on private fiber networks, but in the last 10 years, utilities are becoming more comfortable giving Windows machines VPN access to these networks.

Problem #2 is we don't know how widespread this hidden system account was in use, and Siemens isn't talking. Siemens' problem is that almost everything they do as consultants in the electric industry is one-off custom projects, so IMHO even Siemens doesn't know how large this problem could be.

Now imagine a scenario where a utility employee is walking through their parking lot in the morning, finds a USB flash-drive lying on the ground, person says "cool free drive", goes back to their computer, plugs it in to do a virus check, and the virus executes at the first drawing of the folder. The payload executes, discovers that there's a Siemens SCADA network accessible, and triggers its attack to send bad commands to the SCADA server to crash the network. Yes, lots of stupid security-policy-violating stuff needs to happen, but that's what a social engineering attack is all about.

The really interesting bit (4, Insightful)

HangingChad (677530) | about 4 years ago | (#33094290)

Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer.

How do you suppose the crackers got a hold of Realtek's digital certificate? Seems to imply a level of sophistication that goes beyond most virus writers, many of whom are industry professionals these days. A government-backed organization maybe or well-funded industrial espionage.

Behold the true face of cyberwar!

Re:The really interesting bit (4, Insightful)

alphatel (1450715) | about 4 years ago | (#33094452)

Agreed, who cares what the vulnerability is - exploits are never-ending. The digitally signed certificate is a sure-fire method of defeating a number of defense mechanisms and penetrate the MS core even further. As always, the benefit to the code writer is that any MS OS can be fooled, including server systems.

Realtek is a IC design house, not software (0)

Anonymous Coward | about 4 years ago | (#33094480)

http://www.realtek.com.tw/ [realtek.com.tw]
That site would explain a lot of things to you, especially their way of handling things. Stupid Creative and other vendors made them (!) the emperor of sound with their policies. If you find about their marketshare, it will likely surpass Intel vs. AMD.
Companies like Apple, who thinks it is wise to pack up old versions of drivers so "maccie" won't have a decent experience on Windows also adds to the problem.
If Microsoft did their job fine, told Realtek "just don't ship drivers, we will handle it with windows updates as fast as you would post to website", there wouldn't be a need for third party realtek driver site to begin with. It became a common thing to go to realtek site and get/update to latest drivers.
Realtek is an advanced hardware design (IC) house, this is what happens if you force them to do software things. One day, they lose the certificate.

Re:The really interesting bit (1, Insightful)

Anonymous Coward | about 4 years ago | (#33094530)

Virus authors aren't script kiddies anymore. They're trained software engineers. Remember Conficker? It had an implementation of MD6 only a few weeks after the specifications were release(It even contained a buffer overflow which was a fault in the specifications). However, to get a digital certificate signed, I'm guessing some bribery was in order. I'm guessing spam pays a lot these day, when it's done right.

Re:The really interesting bit (0)

Anonymous Coward | about 4 years ago | (#33094606)

How do you suppose the crackers got a hold of Realtek's digital certificate

They probably didn't. All they did was write some kind of "driver" and payed Realtek some administration fee to sign it.
The problem here is that you never now exactly what you sign, unless you wrote it.
Even if you get the source code, and compile the binary yourself, you can't check all the code in a big driver.

Re:The really interesting bit (1)

v1 (525388) | about 4 years ago | (#33095224)

How do you suppose the crackers got a hold of Realtek's digital certificate?

My best speculation on that is an actual hacker (or hacker group) managed to extract the private key through nefarious means, possibly via a botnet-controlled or similarly zombified computer inside realtek, and then it was sold on the underground malware market.

It's very unlikely the makers of Stuxnet were actually the ones that stole the key in the first place. Does make one wonder how much such a key would go for? I would expect it to be very expensive, it's at least as good as a zeroday.

You'd think MS would have some very tight restrictions and conditions on how vendors agree to protect their signed keys. I wonder what MS's response to realtek is going to be? Things like this are really damaging to MS's reputation. Even though MS is not generally known for security in the first place, users expected Vista/7 to be better, and afaik it's at risk here also. MS needs to give realtek some smackdown.

But the real irony here may be that MS's standing security issues were probably a factor in realtek losing the key in the first place, so to some degree, MS contributed to this problem.

"Effective August 2010, MS will require all driver signing keys to be stored exclusively on macintosh computers. Use of windows computers, unencrypted backups hosted on windows-accessible networks, and especially usb thumbdrives, will not be allowed." lol... wonder if that will help them?

Re:The really interesting bit (0, Flamebait)

symbolset (646467) | about 4 years ago | (#33097680)

Start with the obvious assumption that the certificate was stored on a Windows computer. Now assume that most of the rest of them are too. Calculate the likelihood that a particular Windows computer will be rooted.

Are you scared yet?

Windows 2000 users (5, Informative)

trifish (826353) | about 4 years ago | (#33094296)

A friendly warning to all Windows 2000 users out there, your OSs will remain vulnerable (unless you have a private agreement with MS).

Support for you ended two weeks ago.
http://support.microsoft.com/lifecycle/?LN=en-us&x=17&y=3&p1=3071 [microsoft.com]

Win2K users not running AV? (0, Offtopic)

Ilgaz (86384) | about 4 years ago | (#33094610)

As a person in TV industry, I can really relate to "people still running windwos 2000" but, trust me, it is absolutely suicidalif one doesn't run a commercial quality AV actually doing heuristics like Kaspersky or F-Secure.

I am not a shareholder in these companies of course, it is just that they are running way deeper security checks and actually watching what really happens on the OS. People blame them for being heavier than "freeware av" for that reason.

If you can live with pro-active way of doing things, Comodo AV which is freeware, in case it works under Win2K is a good choice too. It is like eSafe end user version (which has been abandoned) which really figures the threats even if it has no clue about them.

While on it, OS X 10.4.11 Tiger doesn't get security updates too. I can only (unfortunately) suggest Intego Virusbarrier which is a bit pricey to them. There is a cost of having to use older commercial operating system. Obviously, I don't think there is a black hat dumb enough to specifically target some poor guy being forced to run 10.4.11 and spend time on it.

Re:Windows 2000 users (2, Insightful)

Mhtsos (586325) | about 4 years ago | (#33094872)

This is especially important to anyone actually using the SCADA software this virus attacks. Some versions of WinCC are incompatible with XP (as in "only certified to run on windows 2000" i'm sure nothing technical prevents running in XP). So actually quite a large portion of the target group remains unpatched.

Re:Windows 2000 users (0)

Anonymous Coward | about 4 years ago | (#33095898)

The city of Munich? Do they still run NT 4.0?

Re:Windows 2000 users (1)

gad_zuki! (70830) | about 4 years ago | (#33096756)

This attack can only use the credentials of the logged in user. Running as limited user limits its ability to do anything outside of your profile. That and basic AV means Win2000 is usable for a long time in the future.

Re:Windows 2000 users (0)

Anonymous Coward | about 4 years ago | (#33097252)

That and basic AV means Win2000 is usable for a long time in the future.

You must be kidding me. Windows gets a new unpatched vulnerability (often exploited zero-day style) every month. You just need to wait another month for yet another vulnerability and then another for another, etc. Antiviruses may detect some of these but not all. In the following months your Windows 2000 will be turning into rotten pile of insecure shit. Face the reality or be pwned.

Thank %DIETY% (1)

thegarbz (1787294) | about 4 years ago | (#33094298)

This virus made it's rounds through my work (Fortune 50 company). Man the clean-up was disruptive. Mcafee was quick with a patch to clean our computers, but I there were petabytes of storage to clean world wide.

The real flaw on 3 different OS won't be fixed (3, Insightful)

Ilgaz (86384) | about 4 years ago | (#33094450)

For some reason, MS will shy away from mandadory CRL/OCSP checks. Bandwidth issues for 1 kb traffic?

Realtek drivers, as they are software/hardware hybrid (more like softmodem) with unneccesarry junk like an extra control panel weights around 40 MB. Everyone knows it since we have to deal with their aspx powered weirdo site when vendors, including Apple Inc. installs old version of drivers. What kind of harm would Windows do asking certificate vendor (Verisign in this case) if the certificate is real?

This is also a mistake by Apple too, they don't enable ocsp, at least to "best attempt" in fresh OS X install. You gotta do it in keychain utility preferences. Sad that, on OS X way of doing things, that would mean an instant security boost since native OS X apps uses the same framework for SSL comms.

Funny is, this is also a problem on Symbian which doesn't rely on "app store". For example, on Nokia E71, one must live a complete usability hell if he/she enables "online certificate revocation check". They just couldn't fix the freaking UI and disabled online certificate check for signed symbian apps. So what happens if some dumb shareware vendor loses their certificate or they actually freely sign malware? You install AV. All this for saving (!) 1 KB of traffic.

So, even if Verisign revokes it (or hurries, whatever), it won't have any effect until MS/Apple/Symbian (don't know others) wake up and enable certificate revocation checks by default in these days even your heater is connected to the internet.

Re:The real flaw on 3 different OS won't be fixed (0)

Anonymous Coward | about 4 years ago | (#33094652)

So, even if Verisign revokes it (or hurries, whatever), it won't have any effect until MS/Apple/Symbian (don't know others) wake up and enable certificate revocation checks by default in these days even your heater is connected to the internet.

So some hax0r can automatically disable nation-wide heaters with revoking one cert? Nice idea for cyberwar...

The real problem is who to trust... (1)

leuk_he (194174) | about 4 years ago | (#33094804)

They can revoke keys but then there is a new problem:

-What if the system becomes unusable without a certain driver ( maybe even because the rootkit kills the system deliberate in that case). Who is responisble.
-If the user gets prompted, what are his options? (e.g. in the simple case his system clock is wrong, but the error message is not clear).
-What if revoking disables the sound of 66% of the windows machines and ONLY disable 0,001% the rootkit (but not even the actual virus).

If you think this over, you realize how much issues there are with revoked/expired certificates. The math behind them is correct, but the consequences are much more complicated.

"have been exploiting for several weeks now..." (1)

euyis (1521257) | about 4 years ago | (#33094850)

Why is this called an "emergency" fix? Just curious.

Re:"have been exploiting for several weeks now..." (2, Informative)

Shados (741919) | about 4 years ago | (#33095734)

because for various reasons (some that are even good), Microsoft only normally release patches once a month. When they can't wait, they call it an emergency fix. Simple enough?

LNK is an Open Specification (4, Interesting)

kingdominic (1868276) | about 4 years ago | (#33095118)

The .LNK Binary File Format is an Open Specification provided by Microsoft via the following document:
http://msdn.microsoft.com/en-us/library/dd871305(PROT.13).aspx [microsoft.com]
~ king

Re:LNK is an Open Specification (1, Interesting)

Anonymous Coward | about 4 years ago | (#33095914)

How does that do us any good though? It's not like Microsoft's implementation can be easily replaced is it? Do they use a well documented stand alone library for working with .lnk files? One that I could just plug in an alternate implementation of by exporting the same symbols? Probably not. Its probably lumped in with hundreds of other unrelated functions in some binary that can't be replaced without a significant amount of reverse engineering.

In the end you're still at Microsoft's mercy. Hope their fix works.

Windows XP SP2 will not be patched (1, Informative)

Anonymous Coward | about 4 years ago | (#33095458)

SP2 support ended earlier this month. You know what that means. No patch unless you have a custom support contract. Hasta la vista.

Re:Windows XP SP2 will not be patched (1)

UnknowingFool (672806) | about 4 years ago | (#33096654)

Or you could just update to SP3. That hasn't ended yet.

Wonderful (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33095662)

Next up, .DLL, .EXE, and .*.

While they are at it (1)

JimboFBX (1097277) | about 4 years ago | (#33096566)

While they are at it they should remove the functionality to open a .lnk file in media player. My wife had media player as the default player, and she had some .mp3 files on her system. I'm guess she got these from limewire or something. They wouldn't play in itunes, so I tried opening them in media player and it said it was a filetype that didn't match it's extension, open anyways? So I said yes, thinking that it might of been a wma that was renamed by a dummy, and then instantly a web browser window opened up to some website. The file itself was 5 megs, so I'm guessing it had a .lnk header and then either padded the rest with the original mp3 or just dummy data.

time to exploit XPSP2 installations! (0)

Anonymous Coward | about 4 years ago | (#33096902)

Since many Corps still refuse to upgrade to SP3, get ready for swath of news with IT failing to quell SP2 only rootkits and worms.

Re:time to exploit XPSP2 installations! (1)

Kaenneth (82978) | about 4 years ago | (#33097318)

I could see putting off migrating to Vista/Seven... But not installing a service pack?, that's just dumb...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>