Texas A&M AgriLife IT Security
Texas A&M AgriLife IT SecurityLatest IT news & tips to keep your computer safe

Microsoft to release out of band patch for shortcut vulnerability – Aug2

by Leave a Comment

On Monday, August 2, Microsoft is scheduled to release an out of band patch.
Everything I am seeing seems to indicate this is a patch for the .lnk shortcut vulnerability. 

Update – July 30 – 2:00 p.m.
They are kind of vague in both the advance notification and also the original advisory – but this seems to have more details than all else I have seen –  http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx

http://www.microsoft.com/technet/security/advisory/2286198.mspx
Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
Published: July 16, 2010 | Updated: July 20, 2010

Version: 1.2
General Information
Executive Summary

Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.

>>> “Microsoft” <securitynotifications@e-mail.microsoft.com> 7/30/2010 12:52 PM >>>
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

********************************************************************
Microsoft Security Bulletin Advance Notification for August 2010
Issued: July 30, 2010
********************************************************************

This is an advance notification of one out-of-band security bulletin
that Microsoft is intending to release on August 2, 2010.

The full version of the Microsoft Security Bulletin Advance
Notification for August 2010 can be found at
http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx.

This bulletin advance notification will be replaced with the
August bulletin summary on August 2, 2010.

For more information about the bulletin advance notification
service, see
http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever Microsoft Security
Bulletins are issued, subscribe to Microsoft Technical Security
Notifications on
http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host a webcast to address customer questions on
the out-of-band bulletin on August 2, 2010,
at 1:00 PM Pacific Time (US & Canada). Register for the
Security Bulletin Webcast at
http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize
monthly security updates with any non-security, high-priority
updates that are being released on the same day as the monthly
security updates. Please see the section, Other Information.

This advance notification provides a number as the
bulletin identifier, because the official Microsoft Security
Bulletin numbers are not issued until release. The bulletin summary
that replaces this advance notification will have the proper
Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the
bulletin identifier. The security bulletins for this month are as
follows, in order of severity:

Critical Security Bulletins
===========================

Bulletin 1

  – Affected Software:
    – Windows XP Service Pack 3
    – Windows XP Professional x64 Edition Service Pack 2
    – Windows Server 2003 Service Pack 2
    – Windows Server 2003 x64 Edition Service Pack 2
    – Windows Server 2003 with SP2 for Itanium-based Systems
    – Windows Vista Service Pack 1 and
      Windows Vista Service Pack 2
    – Windows Vista x64 Edition Service Pack 1 and
      Windows Vista x64 Edition Service Pack 2
    – Windows Server 2008 for 32-bit Systems and
      Windows Server 2008 for 32-bit Systems Service Pack 2
      (Windows Server 2008 Server Core installation affected)
    – Windows Server 2008 for x64-based Systems and
      Windows Server 2008 for x64-based Systems Service Pack 2
      (Windows Server 2008 Server Core installation affected)
    – Windows Server 2008 for Itanium-based Systems and
      Windows Server 2008 for Itanium-based Systems Service Pack 2
    – Windows 7 for 32-bit Systems
    – Windows 7 for x64-based Systems
    – Windows Server 2008 R2 for x64-based Systems
      (Windows Server 2008 R2 Server Core installation affected)
    – Windows Server 2008 R2 for Itanium-based Systems

    – Impact: Remote Code Execution
    – Version Number: 1.0

Update – Aug 3
The .lnk patch should be downloaded automatically for all machines that have autoupdates turned on. Make sure you have the following patch applied – 2286198

Microsoft Security Bulletin MS10-046 – Critical

Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)