Se protéger contre les attaques sur la vulnérabilité .LNK de Windows (Stuxnet/Sality)

Je viens de terminer ce rapport à propos de la vulnérabilité très récente de Windows (MS10-046, CVE2010-2568) utilisée par les vers Stuxnet et Sality. J’ai vérifié le comportement de la vulnérabilité et des contremesures suggérées par Microsoft en utilisant le nouveau module Metasploit. J’y ai aussi rajouté quelques recommandations pour se protéger contre ce type d’attaque “jour zéro” (dans le futur).

This report I just completed is a quick proof of concept that shows how easy it is to use a brand new Metasploit Module to attack a vulnerable Windows XP SP3 Workstation manually.  The module exploits a recently discovered Windows vulnerability (MS10-046, CVE2010-2568): Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability has been used by the Stuxnet and Sality worms.
Then, I verified the Microsoft workaround and it appears to be effective, even without reboot. I also verified the out-of-band hotfix released on 2010/08/02 and it’s also effective. But this time, a reboot is necessary. Note that the workaround and the hotfix are both meant to prevent the Microsoft vulnerability (that simplifies the malicious payload propagation). They wouldn’t prevent an end-user from double-clicking the malicious shortcut(s) and then executing the malicious payload that it points to.
In the past, we have accepted that users be simply careful while web surfing and with dealing with email attachments. We also told them to make sure that they updated their antivirus signatures, applications, operating system and browser plugins.
Unfortunately these days, being really careful is not good enough anymore. This proof of concept helps demonstrate that it is important, more than ever, to apply the least privilege rules (ie: remove admin privilege during day-to-day operations) while using any Windows operating system version.

Références

1. Module Metasploit
2. Avis Microsoft (KB2286198)
3. Bulletin de sécurité Microsoft MS10-046
4. Blog Trend Micro
5. Stuxnet selon McAfee
6. CVE 2010-2568