Contact Us »   Mobile Site »

• Solutions 
•  Products 
•  Services 
•  Customers 
•  Partners 
•  News & Events 
•  Resources 
•  Support 
•  Company  

July 20, 2010 5:15 PST

The nCircle VERT Alert is brought to you by nCircle VERT, nCircle’s research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

The last few days have seen more and more discussion around the new vulnerability affecting Microsoft Windows and addressed by Microsoft Security Advisory 2286198¹. This advisory describes CVE-2010-2568², a vulnerability in the Windows Shell affecting all shipping versions of Windows.

This vulnerability was discovered in the wild, as a means of spreading malware targeting Siemens WinCC SCADA management software³ and has since been included in popular penetration testing frameworks.

Microsoft has acknowledged that they are working on an update to address this issue, but at this time has not indicated when this update will ship. In the mean time it is advisable that individuals apply the Microsoft provided mitigations as soon as possible. Microsoft has provided two steps (available in more detail in the advisory).

1. Delete the data stored in HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler\(Default)
2. Disable the WebClient service.

Assessing Your Systems

Current nCircle IP360 customers can determine affected systems with the following nCircle Focus™ query:

Focus query: OS:”Windows”

Current nCircle Configuration Compliance Manager (CCM) customers can create a simple policy to validate that acceptable mitigating configurations are in place. nCircle recommends that the policy include the following:

1. Disable USB Storage: create a CCM registry test to validate that the following key has a value of ‘4’:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor\Start
   
   
2. Disable Shortcut Icons: create a CCM registry test to validate that the following key has a value of ‘<blank>’ (no value):
   HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler\Default
   
   
3. Disable the WebClient service:  create a CCM Windows Services test to check that the WebClient service is not running and a second test to check that the WebClient service is disabled.
   

All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the nCircle website as new information surfaces: http://www.ncircle.com/index.php?s=resources_VERT-Alert.

¹http://www.microsoft.com/technet/security/advisory/2286198.mspx
²http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568
³http://www.theregister.co.uk/2010/07/16/windows_shortcut_trojan/

---

Contact | Site Map | Privacy Policy | Trademark

Configuration Auditing | File Integrity Monitoring | PCI Compliance | SOX Compliance | GLBA Compliance | Security Risk Management | HIPAA Compliance | Vulnerability Management | Network Security | Security Audit | Vulnerability Assessment | FDCC Compliance