Two Windows vulnerabilities, one a 0-day, are under active exploitation
- Thread starter JournalBot
- Start date
It could save readers some searching if the article adds a link to instructions for this.
Upvote
208
(214
/
-6)
Maybe I missed it, but I don't see the impacted Windows versions in the article. It would be nice to know if this is a Windows 10 thing, a Windows 11 thing, or both.
Upvote
145
(146
/
-1)
Sorry if that came off as snark or a complaint. I hadn't done the search and waded through any AI slop in the results and I thought you might already have a link that you knew was accurate from researching the story.
Upvote
231
(234
/
-3)
Is this really the tone you chose to answer their question? This is not appropriate.
Upvote
312
(322
/
-10)
And then he pinned his snarky response for all to see as well.
I've noticed Mr. Goodin's articles frequently include deep technical detail about what an attack is, but usually zero information on how to detect if you're infected or how to mitigate the situation.
Upvote
227
(229
/
-2)
half the results give stuff that don't work and then link to something else that might or might not work, involving group policy which doesn't exist for home.. without a lot of faffing around, or regedit.. the rest are irrelevant.
was hoping for some official workaround from ms security bulletins and what not... that'll get undone properly when a proper patch is deployed.
i still don't know if years ago i did some disabling of the intel me that ended up hiding the stupid tpm bits in the bios. probably not... but basically, once weird fixes are applied, no one ever remember to undo them (or how to) once the proper fixes are out.
was hoping for some official workaround from ms security bulletins and what not... that'll get undone properly when a proper patch is deployed.
i still don't know if years ago i did some disabling of the intel me that ended up hiding the stupid tpm bits in the bios. probably not... but basically, once weird fixes are applied, no one ever remember to undo them (or how to) once the proper fixes are out.
Upvote
72
(73
/
-1)
The ZDI article and various CVE do not mention specific versions either, which probably means "all of them". Also, microsoft has deemed this vulnerability "as not meeting the bar for servicing" a.k.a Won't Fix
Upvote
63
(63
/
0)
From what I could find
https://superuser.com/a/1231305
looks to be the best answer --
(GPO is Group Policy in this comment)
(and since we're sharing searches -- https://kagi.com/search?q=windows+explorer+disable+path+link+resolve&r=us&sh=r07fG8vJCTXaQ5sTUOU7OA )
https://superuser.com/a/1231305
looks to be the best answer --
(GPO is Group Policy in this comment)
(and since we're sharing searches -- https://kagi.com/search?q=windows+explorer+disable+path+link+resolve&r=us&sh=r07fG8vJCTXaQ5sTUOU7OA )
Upvote
33
(34
/
-1)
The search also doesn't answer the question. The results are about fixing links that don't work, not the opposite
Edit: the above Superuser answer is about searching for a link target after it's been moved. It's not about disabling links in general. That would probably break a lot of things if you did it.
The link issue is obfuscating the target of the link, so if you check the properties it doesn't show what it's actually doing. But fundamentally it's inducing a user to click something from a dubious source. I doubt most users even checked the link target.
The WSUS issue is very likely our good old friend BinaryFormatter.
Upvote
68
(68
/
0)
Yea, pinning it is the icing on a very sour cake.
Regarding not including IOCs and mitigations in the articles, tbh they're not always available publicly at publication time.
Upvote
120
(120
/
0)
Even if he did, a link in the comments helps the fraction of people who open the comments.
A link in the story helps every reader, including the ones consuming content from the amp version, via syndication/RSS, etc.
Upvote
190
(190
/
0)
At a previous job the security team attitude was basically "we've heard about/detected this vulnerability, it's up to the rest of you to figure out how to resolve/mitigate" and then wiped their hands clean.
Not sure if that attitude is typical of most security folks or not...
Upvote
65
(69
/
-4)
Well, in a large enough business the security team normally doesn't have the permissions to actually turn the knobs and dials to fix stuff. So, yes, a lot of the time it is seemingly thrown over the fence, but if the security team does have permissions and breaks something then someone would be bitching about that.
All in all, the people responsible for the endpoints should be the ones patching / fixing them with whatever management tool they have. That being said, the security team should be willing to at least help figure it out if it's not a obvious fix.
Upvote
54
(56
/
-2)
I had enabled Standard Security in my Microsoft/Office 365 dashboard, or entra or exchange, I can't remember where I was when I enabled it last week, for my organization. I tried to email myself a .lnk file and it was returned to sender. I tried to .zip the .lnk and send it that way, and again it was returned. So at least I know we have a little of protection from randos sending .lnk files into our org.
Upvote
32
(32
/
0)
Judging by threads in /r/sysadmin, it's all that security does. Run a scan, squawk about findings, then go back to watching Netflix. I feel confident in stating that my team doesn't do that. We, in theory, have the capability to apply fixes ourselves but those are with accounts that are essentially break the glass because all of our sysadmins got hit by a bus or something.
Operations don't want us touching their stuff, and I absolutely respect that. I'm not a sysadmin, I'm far more likely to screw it up because I don't know that system X can't install update Y or else it breaks core application Z.
On the other hand, when these issues do come up, I've ingrained the culture within my team that we don't just toss it over the fence. We pull relevant articles that cover installation, mitigations that can be done as opposed to patching if any exist, and do as much of the grunt work that we can that isn't actually turning the knobs and pushing the buttons. Apparently, we're unicorns.
Upvote
102
(104
/
-2)
Upvote
46
(46
/
0)
Windows zero-day actively exploited to spy on European diplomats
https://www.bleepingcomputer.com/ne...indows-zero-day-to-spy-on-european-diplomats/
Upvote
20
(20
/
0)
So apparently the flaw as per Trend Micro's writeup is that you can spam whitespace and newlines in the "Target" field of a shortcut that determines what the shortcut runs and with what arguments, and the shortcut will just ignore the whitespace and continue to work, but stuff that comes after the whitespace (e.g. a payload) may not be visible in the Properties window, especially if there are newlines.
How the hell is this a wontfix? Can't the textbox be made to properly show arbitrarily long strings and newlines and other goofy characters rendered as Control Pictures from the hit standard Unicode?
How the hell is this a wontfix? Can't the textbox be made to properly show arbitrarily long strings and newlines and other goofy characters rendered as Control Pictures from the hit standard Unicode?
Upvote
41
(41
/
0)
Like I said, it obfuscates the link but I guarantee 99.99% of the people who download and run it aren't checking the link target.
Upvote
21
(21
/
0)
I just discovered that the link I put in, didn't make it into the last-published story that went live. It's: https://arcticwolf.com/resources/bl...-zdi-can-25373-vulnerability-to-deploy-plugx/. It doesn't say or link to how you can do that. I didn't have a link handy to a how to when I responded and was out running an errand. I just thought it'd be quicker/easier/more helpful if I just sent a quick link with a reminder that that's where I would have to start. Sorry if that came off wrong.
Upvote
14
(53
/
-39)
Both are pretty low risk for users who are not in a corporate environment.
The second one required the usage of WSUS which virtually no one at home uses (it is like windows update but for corporate pc's).
The first one is a little more risky, however if people pay attention to what they download and don't simply install anything and don't open random files from emails, they are safe. The .lnk issue (There are windows shortcuts, the kind you have on your desktop and start menus) issue requires that you have downloaded an infected .lnk file and run it. If you do that kind of behavior, stop because you will be letting viruses and malware in as well.
The second one required the usage of WSUS which virtually no one at home uses (it is like windows update but for corporate pc's).
The first one is a little more risky, however if people pay attention to what they download and don't simply install anything and don't open random files from emails, they are safe. The .lnk issue (There are windows shortcuts, the kind you have on your desktop and start menus) issue requires that you have downloaded an infected .lnk file and run it. If you do that kind of behavior, stop because you will be letting viruses and malware in as well.
Upvote
26
(26
/
0)
The proposed web search simply leads to numerous articles that say there is no way to accomplish it. That is, no way to disable the automatic resolution of the shortcut files. Even though the article says that it is possible and is the recommended mitigation. So apparently it's not possible. Apparently it used to be sometime before 2021...
Upvote
40
(40
/
0)
Understandable, but you can imagine a bunch of highly technical peeps reading a doom-and-gloom article which is telling them they'll likely have to do extra work on the weekend, and the article not having "Sources, please" for a quick fix...
But thanks for being on top of things, it's why I still read Ars!For those not in the MSP/channel world, if you see posts on security vulnerabilities from Huntress, believe 'em. They're the real deal, a small security business doing right by their clients, with incredibly deep research at the ready. Love love love them!
Upvote
26
(29
/
-3)
train_wreck
Ars Scholae Palatinae
I’d almost wonder if it was really the author, since there isn’t a “Staff” logo on the account…. Out of place attitude for an author here, for sure.
Upvote
21
(22
/
-1)
How about unpinning your completely inappropriate comment from the article, sir, and sincerely apologizing to the commentor, and the rest of the folks that support this site and don't need abuse frrom writer/editors that get paid on our visiting or subscribing to the site and reading your stories. You lost me as a subscriber.
And yes, I reported your comment to management as abusive and inappropriate.
Upvote
55
(65
/
-10)
We do all know how to type a question into a search engine, but these days that can be the start of a long slog. With 30+ years of Windows internet history there's a huge amount of information that stopped working after XP, 7, 8, 10 that still appears in search results.
ChatGPT and such are no better. When I bother to ask them development questions, more often than not I get hallucinations that solve the wrong problem and/or won't even compile. No, ChatGPT. the InstallShield UI hasn't worked that way for over a decade and your PowerShell code just errors out as an MSI custom action.
I tried to say (perhaps not very clearly) that if you had working instructions then posting a link to them would've saved us readers some duplicated effort. If not, then saying so was all you needed to do.
Upvote
58
(59
/
-1)
Yes, I think the "let me google that for you" initial response wasn't helpful but I'm not outraged or asking to speak with his manager Karen-style
Upvote
10
(29
/
-19)
I post literally once every year or so. Congrats. You made me post.
Imagine being this egotistical. Someone posted something that could genuinely improve your article and assist people that are less technical and you spit in their face for it.
Imagine behaving like a child just because someone offered a suggestion. Unbelievable.
Upvote
69
(75
/
-6)
That appears right. Esp. the .lnk misuse can, as you say, be avoided mostly or completely, by being careful in downloads, easier for private individuals than for corporate users, because corporate users can be spearfished more effectively.
Also, the unavailable fix, not allowing automatic resolution, appears a way to fairly much sabotaging your desktop, menus etc., like forcing yourself to walk with a rollator when you are fit, but fear that you may loose mobility at any time.
The won't fix attitude at ms appears bizar.
Inspecting the trendmicro description at https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html, the crafting of the .lnk files does not directly cause execution as in a buffer overflow, but hides the target which appears to have been downloaded separately. The obscuring is done by including enough spaces, CR, LF etc, which is not displayed in the single line UI. (other aspects, like icon, help inspire trust, but are not viral).
So, one part of the remedy is changing from single line to multiline scrollable display (in the .lnk properties dialog), which is not a lot of trouble to do for MS, of course.
Otherwise, it is an anti virus thing and should not be too hard to implement there.
Trendmicro obviously advertised their av for this, but others should have picked this up, too.
I do not know whether windows security picks these up.
Upvote
14
(14
/
0)