At Microsoft, as at most large software vendors, we are likely to have publicly known issues under investigation at any given time. This is what we do on the Security Research & Defense team. Recently we’ve seen confusion from folks trying to make sense of some of the current public issues. To help clear that up, we offer this table of information to help customers make a risk assessment for their particular environment. Note that applying the Microsoft-recommended workaround for any issue in the table removes the risk posed by the issue entirely.
Anti-virus and IDS/IPS signatures developed by our MAPP partners for this issue have also been quite effective at detecting and blocking attacks.
Proof-of-concept code we have seen so far requires a user to browse to an attacker-writable folder using Windows Explorer. If Explorer is set to display thumbnails or a preview of contained files (neither setting is the default), the chance of code execution exists. Current proof-of-concept code is not successful when Explorer is set to display files in the default List mode.
(SRD blog post)
If you have enabled IIS FTP service, consider disabling it, if possible, until a security update is available.
The real-world risk to most customers from this issue is expected to be quite low.
The attached .txt file, if renamed to .reg and opened, will apply the killbit to the affected clsid’s.
We hope that this helps customers make a risk assessment for your environment. We are closely monitoring each of these issues, and we will update or issue advisories if the threat landscape changes.
Thanks to each of the case managers and security engineers who worked over the holidays to respond appropriately to these public disclosures!
- Jonathan Ness, MSRC Engineering
*Posting is provided "AS IS" with no warranties, and confers no rights.*