Out-Of-Band Security Bulletin Webcast Q&A - August 2010
Host: Christopher Budd, Sr. Security Response Communications
Chat Topic: August 2010 Out-Of-Band Security Bulletin Release
Date: Monday, August 2, 2010
Q: Do you know of malware that use this vulnerability and have antivirus companies such as MacAfee, etc., published the DAT file?
A: Yes, there are multiple malware families that are known to exploit this vulnerability. Stuxnet, Sality, and Vobfus are all examples. These families were discussed on the Microsoft Malware Protection Center (MMPC) blog: http://blogs.technet.com/b/mmpc/archive/2010/07/30/stuxnet-malicious-lnks-and-then-there-was-sality.aspx The Microsoft Security Response Center (MSRC) through the Microsoft Active Protections Program (MAPP) has shared samples of malware and details of the vulnerability with all MAPP partners, such as McAfee, to ensure that they can provide protection for their customers. However, you should contact your vendor to ensure you know the exact name of the signatures to detect malicious .LNKs and the malware known to use them for exploitation.
Q: If a remote console session is opened on a server, the user is logged on but the console client is disconnected (because the user was not logged off but just closed the remote console) and there is an Explorer window opened in this session, is a server which has not received the MS10-046 update vulnerable?
A: Yes. In this scenario, the folder view could possibly refresh, at the very least when the user re-engages his session. If an attacker manages to place a malicious shortcut file in the location opened in the Explorer folder view, he may be able to successfully exploit the machine. We strongly recommend installing the security update even on servers in this specific scenario.
Q: I plan to deploy the disable of the workaround through a Group Policy Object (GPO) startup script. Is there a registry entry or Windows Management Instrumentation (WMI )request where the script could look to tell if the update has been applied?
A: Yes. The registry keys that indicate whether the update is installed are different for each platform, but are described in detail in the security bulletin under the "Deployment" section, "Registry Key Verification."
Q: Can the patch, when delivered via Windows Server Update Services, (WSUS) be configured to deploy silently (without reboot)? And in this case, would it be effective before or upon the next reboot?
A: You can set automated installs to delay their reboots, but this is done with client policy.
Q: Did you just say the patch is un-installable? There is no backout plan for it?
A: MS10-046 can be uninstalled. There is a "back-out" option.
Q: Could I be infected by opening a compromised File Transfer Protocol (FTP) site in Internet Explorer?
A: Yes. If the folder contains a malicious shortcut file, the vulnerability can be exploited.
Q: Do you know whether MS10-046 has any compatibility issues if the Sophos Windows Shortcut Exploit Protection Tool has already been installed?
A: Microsoft does not investigate nor comment on third-party workarounds and solutions for security vulnerabilities and how they interface with the security update. At this point in time, though, we are not aware of any reports of compatibility issues caused by the security update.
Q: Is this available for all language versions yet?
A: Yes, this update is released for all language versions of Windows.
Q: Will the August Malicious Software Removal Tool (MSRT) include detection and removal for viruses currently exploiting MS10-046, and can the MSRT be released earlier than the second Tuesday via an Out-of-Band (OOB) schedule?
A: The Malicious Software Removal Tool (MSRT) update is on track for the second Tuesday of August as planned and additional malware families known to exploit this vulnerability are under consideration for that update.
Q: The security release requires a reboot, which is understood. We have applied the workaround via Group Policy Preferences. Does the removal of the workarounds require a reboot or will a GP refresh be enough?
A: After deploying the workaround, a reboot is strongly recommended to ensure that the change is effective in all possible applications. For the workaround, and the workaround only, this same effect can be accomplished by forcibly logging off all users on the system, and requiring them to log back on. This would also implement the workaround for all applications and all users. However, after installing the security update, a reboot is required.
Q: Can you explain the triggers/thresholds/criteria for Microsoft to issue an OOB security bulletin?
A: Microsoft uses several criteria to make decisions on whether or not an out-of-band update is considered. These specific criteria are not publicly disclosed, but are heavily based on the impact of the specific vulnerability on Microsoft customers, and the status of that vulnerability's exploitation on the Internet.
Q: Autoplay and user action are the only way so far to get the infection, correct? Will it spread in the environment to other servers by itself?
A: Microsoft cannot conclusively comment on the behavior of all possible malware families that use this vulnerability. However, this vulnerability cannot be exploited without user interaction, and cannot be used to spread in an environment without the user actually using an infected USB stick, or browsing a malicious network location. User interaction is required for this vulnerability to be exploited.
Q: Could you please remind us where the Fix-it to turn off the prevention Fix-it is located.
A: The Fix-it solution that can be used to turn off the workaround can be found in the KB article linked from the security update: http://support.microsoft.com/kb/2286198.
Q: If you have servers that do not access untrusted networks and do not allow Internet browsing, would the opportunity for impact be decreased significantly?
A: The environment that you are describing would have a reduced impact in most cases, but this does not mean that it is impervious. Initial reports of the Stuxnet malware that leverages this vulnerability showed that it used infected Universal Serial Bus (USB) keys to attack Supervisory Control and Data Acquisition (SCADA) networks, and SCADA networks generally have no web connectivity.
Q: Do we have to undo any workarounds applied before applying the out-of-band update? Will failure to do so cause a problem during the out-of-band update application? Is it OK if we do the workaround undo after the update has been applied?
A: You are not required to remove the workaround prior to installing the update. You can install the security update and later undo the workaround.
Q: Do you lose any functionality if you apply this fix?
A: This update has undergone rigorous compatibility testing and so far we are not aware of any impaired functionality associated with this update.
Q: Are there any concerns for elevation / escalation of privilege outside of logged-on user?
A: This vulnerability does not allow for elevation of privilege. Any exploitation of the vulnerability will only result in execution of arbitrary code as the currently logged-in user.
Q: I know that NT/2000 is end-of-life and Microsoft will no longer support these systems or provide comments, but are Windows NT/ 2000 systems impacted by this vulnerability?
A: Please contact Microsoft LifeCycle Support for information on Custom Support. http://support.microsoft.com/lifecycle/
Q: Does this update require a reboot to be effective?
A: Yes, the update does require a reboot.
Q: Is there any danger of this being exploited remotely?
A: This vulnerability can be exploited using a number of specific vectors, most of which are remote. We recommend reviewing the security bulletin for more guidance on the ways this vulnerability can be exploited (MS10-046).
Q: I am seeing the Security update for Windows XP and Windows Server 2008 x64, but I don’t find the Security update for Windows 7 and Windows Server 2003 on my Windows Server Update Services (WSUS). Is there is lag in the update being distributed to these systems?
A: There is usually some latency - the time it takes for the update packages to propagate from server to server - in the first few hours after release. Server latency should clear up within the first few hours after release.
Q: Would blocking Server Message Block (SMB) affect Microsoft Groove functionality?
A: Microsoft Groove mainly uses the Web-based Distributed Authoring and Versioning (WebDAV) authoring protocol to access the SharePoint library. Blocking SMB, which is another file-sharing protocol, would have a limited effect on the application. However, blocking WebDAV will definitely impact its functionality. Regardless of the protocol used, we strongly recommend testing any workaround closely with your specific environment prior to wide deployment.
Q: How is this vulnerability initially being brought into environments? Is it mainly via a Universal Serial Bus (USB), etc?
A: Currently, we are aware of specific malware families using this vulnerability to affect environments through USB removable media, as well as archives being sent through e-mail that require the recipient to take very specific action (copying a file) in order to be effective. The most significant risk is currently posed by the use of untrusted removable drives. We are not currently aware of prevalent exploitation using WebDAV or network shares, but these cannot be excluded.
Q: If you apply the MS10-046 Security Bulletin update to a Windows 2008 file server, can the file shares presented by that server still be infected? Also, how vulnerable are published applications via Citrix and Microsoft terminal servers
A: This security update will not remove any malware infections present on the system. Microsoft recommends using an anti-virus product, such as Microsoft Forefront or Microsoft Security Essentials, to inspect machines for possible infection and clean-up. However, upon installation it will no longer be possible to attack the server using this vulnerability. While we cannot comment on the risk for all third-party products, applications running on a remote server that display an icon will not be able to infect a client machine accessing that desktop remotely -- for instance, a machine using Remote Desktop or Terminal Services- - unless the file is in fact actually transferred to the client.
Q: What time will the hotfix be available on our WSUS Servers?
A: You can sync the WSUS servers with MU right away and it would then be available on WSUS.
Q: Will the exploit show any event viewer entries if a host has been compromised or a compromise attempt made, before and/or after the update?
A: No, exploitation of this vulnerability will not leave any log entries in the event viewer in a default installation.
Q: Can you explain the attack vector using Internet Explorer and a malicious website? Is this vector being seen in the wild?
A: This vulnerability could theoretically be exploited by a malicious web site. A user would have to specifically browse the rogue web site. When he does so, the crafted web site could display a malicious, crafted icon. We are currently not aware of any active exploitation through this attack vector.
Q: Has a signature been released for Forefront Threat Management Gateway (TMG)?
A: Yes, detection for this exploit is available. We have two signatures: Exploit: Win32/CplLnk.A
Q: The earlier workaround removed the graphics from desktop icons. Will this fix affect icons?
A: No. You will need to undo the workaround in order to regain the lost functionality. There is a "Disable" Fix-it tool that can be used to automate this.
Q: Is the attack applicable if the user does not have execute permissions on the shortcut?
A: Yes. When the user only has permissions to read the affected shortcut file, this vulnerability can still be exploited. The system does not consider the displaying of the shortcut as "execute" permissions. Displaying of shortcut icons can, however, be disabled by implementing the workaround/Fix-It solution.
Q: Do you know if Microsoft is repackaging its security patches to only be picked up by Microsoft Baseline Security Analyzer (MBSA) 2.1?
A: We have not made changes to block the older product, but we only formally support a single version of the MBSA. The detection criteria will occasionally work on previous versions, but this is not intentional, and to fully leverage the functionality of the newer tool, occasionally there will be content that will be incompatible with older versions of the tool. It is best to move to the latest/greatest.
Q: The following link indicates that this update will also apply to XP SP2: http://www.microsoft.com/downloads/details.aspx?familyid=12361875-B453-45E8-852B-90F2727894FD&displaylang=en Is that correct?
A: This statement is currently an inaccuracy on the Download Center. The update is only made available for products in their mainstream support lifespan or extended support agreements. We are in the process of updating the web site to reflect this.
Q: Is the severity of this Security update still “Important” on Windows Update or has it changed to “Critical”?
A: All Security updates are classified as "Important" for uplevel OSes - the possible severity ratings are Critical, Important, Moderate, or Low - and "High Priority" for downlevel OSes. Therefore, on Windows Update it is correct that it is offered under "Important" updates. The Severity of this security updates remains "Critical." Since it is a “Critical” update it will be offered through Automatic Updates.
Q: Is this assumption correct? “I assume that this update will help PCs more than the servers as I believe the exploit requires someone to navigate to a LNK file and we normally would not be doing this from the file server. This would be more likely something done at the PCs that would be navigating the mapped drive from the file server.”
A: Correct. This vulnerability mainly affects machines that are used to browse web sites or network shares, and that deal with removable media such as USB sticks. These types of use scenario are more common on clients than on servers. However, we strongly recommend installing the update on both servers and clients to protect your environment, as even servers will often perform some of these basic functions. However, all exploitation attempts do require some user interaction.
Q: Given the usability issues in the Fix-it solution, where the icon changes could pose a problem for some customers, can you explain what was done to update the vulnerability without impacting the icon displays?
A: The Fix-it tool automates a workaround of disabling icons. That workaround could be considered a "big hammer" type of approach. The user experience you refer to is a side-effect of that specific workaround. By contrast, the fix provided in the bulletin actually resolves the vulnerability - a much more subtle approach that has no such side effects.
Q: If we have an Intrusion Detection Service and Anti-Virus product that has an update for this exploit, is it possible to postpone this Out-of-Band update to next week?
A: We are formally advising everyone to apply the update based on its criticality, but customers are under no obligation to do so. It is always the case that customers should leverage Defense-in-Depth strategies to buy time to adequately test and formally deploy updates when it meets their internal level of risk tolerance.
Q: Is virus protection enough to prevent this vulnerability from being exploited? If so is there user intervention between the user and the site, or could it be exploited through a banner ad or infected JPG?
A: Some vendors have released protection that will detect and block malicious shortcut files, as well as the known malware that is using this technique to propagate. However, using protection technology should be considered a temporary fix. Applying the update provides the best way to prevent exploitation, because it fixes the code behind the vulnerability.
This issue cannot be exploited through a banner ad or a malicious JPEG file. All vectors do require user interaction, but this interaction can in some cases be limited, such as browsing a malicious web site or network share, or introducing a malicious removable USB device.
Q: Exactly which Windows Shell file(s) does this impact? For example, shell32.dll ?
A: This update will address the vulnerability by updating shell32.dll, which is the affected component.
Q: When Advisory 2286198 is replaced, will any old .dll or files be removed?
A: This update will not remove any files, but it will replace shell32.dll, which is the component affected by this vulnerability.