Critical MS Security Update Leaves XP SP2 And Windows 2000 Systems Out Of Luck
By Taylor Gillespie
Expert Author
Article Date: 2010-08-04
Earlier this week, on a Monday and a week before this month's Patch Tuesday, Microsoft uncharacteristically felt compelled to push a security update to remedy a severe system threat that allows remote code execution on all versions of Windows. Security advisories began appearing in mid-July, and Microsoft could not wait a week longer for the second Tuesday of the month, when system administrators expect and plan for system updates and patches, to release the fix.
Many security-oriented organizations that track and follow The National Cyber-Alert System gives a CVSS v2 base score of 9.3, or High, and Secunia rates the criticality level as Highly critical.The exploit also endangers versions of Windows no longer supported by Microsoft, namely XP SP2 and Windows 2000, so the recourse for those using versions of Windows before XP SP3 is to upgrade.
The exploit uses Windows Shortcut files to load arbitrary code, specifically addressed as "Shortcut Icon Loading Vulnerability." Fortunately for most users, this exploit has for the most part targeted Siemens control systems. Adding to the insidiousness, the infected shortcut files can then be set to execute with the autoplay of removeable media. Turning off autoplay can stave off that vector of attack, but does not prevent a malicious shortcut file from user activation.
While most Windows systems will have been upgraded beyond XP SP2, for now, it seems administrators of older Windows machines have few recourses beyond upgrading to a supported version. Disabling autoplay for removable media and disallowing removable media to be used in the enterprise environment are but slightly viable alternatives to the security patch. Though those steps will make executing the arbitrary code of a malformed shortcut less automatic, the end-user will still be able to execute the file. Even with properly strict user permissions, while the actual system damage may be minimal, sensitive information can be acquired and malicious code can propagate and persist. User education and compliance cannot completely meet the requirements of a hardened enterprise.
About the Author:
Taylor is a Staff Writer for WebProNews
|
