Microsoft Security Advisory (2286198)

Microsoft Security Advisory (2286198)

Vulnerability in Windows Shell Could Allow Remote Code Execution
在 Windows Shell中的漏洞可能允许远程执行代码

Version: 1.0
General Information
Executive Summary
摘要信息：

Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.
微软正在调查有限的，有针对性的 利用一个 Windows Shell漏洞 的***，Windows组件漏洞的报告。此公告包含有关哪些版本的Windows是脆弱以及解决方法，并针对此问题的缓解。

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

该漏洞的存在是因为Windows错误地解析这样的恶意代码可能会被执行，当用户点击一个特殊制作的图标显示的快捷方式。此漏洞是最有可能通过利用可移动驱动器。对于已经 禁用 自动播放的系统，用户将需要手动浏览，以便可移动磁盘的根文件夹中的漏洞被利用。对于Windows 7系统，可移动磁盘的自动播放功能已禁用。

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
我们正积极与我们的MAPP合作伙伴提供信息，他们可以用它来为客户提供更广泛的保护。

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers.
完成调查后，微 软将采取适当行动，以帮助保护我们的客户。

Affected and Non-Affected Software
受影响和不受影响的软件

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems

Frequently Asked Questions
常见问题

What is the scope of the advisory?
影响范围

Microsoft is aware of a new vulnerability report affecting Windows Shell, a component of Microsoft Windows. This vulnerability affects the operating systems that are listed in the Affected Software section.
微软新漏洞影 响Windows Shell，微软Windows组件。这个漏洞影响的操作系统是在前 一节中列出的受影响的软件系统。（涉及所有windows 版本）

Is this a security vulnerability that requires Microsoft to issue a security update?
这是一个安全漏洞，需要微软发布安 全更新？

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers.
完成调查后，微软将采取适当行动，以帮助保护我们的客户。

What is the Windows Shell?
什么是Windows Shell?

The Windows user interface (UI) provides users with access to a wide variety of objects necessary for running applications and managing the operating system. The most numerous and familiar of these objects are the folders and files that reside on computer disk drives. There are also a number of virtual objects that allow the user to perform tasks such as sending files to remote printers or accessing the Recycle Bin. The Shell organizes these objects into a hierarchical namespace and provides users and applications with a consistent and efficient way to access and manage objects.

Windows 用户界面（UI）提供访问的对象为运行各种应用程序和操作系统的管理必要的用户。最众多的和熟悉这些对象是文件夹和文件驻留在计算机磁盘驱动器。还有一个可以让用户执行，如发送文件到远程打印机或进入回收站任务的虚拟物体的数量。Shell分层命名这些对象，并提供用户和一致的和有效的方式来访问和管理对象的应用程序。

（简单说Shell就是Windows界面，一般可以理解为资源管理器）

What is a shortcut?
什么是快捷方式？
A shortcut is a link to a file or program, represented by an icon. If you double-click a shortcut, the file or program opens. The shortcut is a mechanism often used to keep frequently used files in a single, easily accessed location, such as a folder or the desktop. Shortcuts are implemented as files with the LNK extension.
快捷方式是到一个文件或程序，由一个图标代 表的联系。如 果您双击快捷方式，文件或程序打开。快捷方式是经常被用来保存在一个单一的，易于访问的位置经常使用的文件，如文件夹或桌面上，一个机制。快捷方式实施与lnk扩展名的文 件。

What causes this threat?
是什么原因导致 这种威胁？
When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut.
当试图加载一个快捷方式图标，在Windows Shell程序不能正确验证快捷方式的具体参数。

What might an attacker use this vulnerability to do?
***者可能利用此漏洞做什么？
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
***者成功利用此漏洞可以执行任意代码。如果用户使用管理用户权限登录上，***者可以利用完全控制受影响的系统。***者可随后安装程序;查看，更改或删除数据；或者创建拥有完全用户权限的新帐户。用户的帐户被配置为拥有较少系统用户权限的用户比少谁具有管理用户权限受到的影响。

How could an attacker exploit the vulnerability?
***者如何利用 这个安全漏洞？
An attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the victim system.
***者可以提 交一个恶意的快捷方式文件到用户的可移动驱动器，和一个关联的恶意的二进制文件。当用户用Windows资源管理器打开这个驱动器，或任何其他应用程序解析的快捷方式图标驱动器，将在受害者系统上执行***者选择的恶意代码。

An attacker could also set up a remote network share, and place the malicious components on this share. When the user browses the share, Windows will attempt to load the icon of the shortcut file, and the malicious binary may be invoked.
***者还可以设置远程网络共享，并将其放置在该共享的恶意组件。当用户浏览该共享，Windows将尝试加载快捷方式的文件图标，恶意的二进制文件可能被调用。

Could this vulnerability be exploited remotely?
此漏洞可能被远程利用？
This vulnerability is most likely to be exploited through removable drives. However, affected shortcuts can also be distributed over network shares or remote WebDAV shares.
此漏洞是最有可 能通过利用可移动驱动器。然而，受影响的快捷方式也可以分布在网络共享或远程的 WebDAV共享。
（也就是说，这个漏洞不太可能被用来发起网页挂马***，但会影响共享文件夹的局域网）

How are the Windows 7 Service Pack 1 Beta and Windows Server 2008 R2 Service Pack 1 Beta releases affected by this vulnerability?
如何在 Windows 7 beta Service Pack 1和Windows Server 2008 R2 Service Pack 1的Beta版评估此漏洞的影响？

Windows 7 Service Pack 1 Beta and Windows Server 2008 R2 Service Pack 1 Beta are affected by the vulnerability. Customers running these beta releases are encouraged to apply the workarounds described in this advisory.

Windows 7 Service Pack 1 Beta版和Windows Server 2008 R2  Service Pack 1 Beta版都受到这个安全漏影响。客户运行这些测试版本，适用于本公告所描述的解决方法。

Mitigating Factors
缓解因素
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of this issue. The following mitigating factors may be helpful in your situation:
缓解是指一种设 置，常见的配置，或一般的最佳实践，在默认状态存在，可以减少此问题的严重性。以下缓解因素可能有助于您的情况：

•An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
成功利用此漏洞可以获得与本地用户相同的用户权限的***者。用户的帐户被配置为拥有较少系统用户权限的用户比具有管理用户权限受到的影响小。

•When AutoPlay is disabled, the user would manually have to launch Windows Explorer or a similar application and browse to the root folder of the removable disk.
当自动播放被禁用，用户必须手动启动 Windows资源管理器或类似的应用程序和浏览到可移动磁盘的根文件夹。

•Blocking outbound SMB connections on the perimeter firewall will reduce the risk of remote exploitation using file shares.
中小企业 在外围防火墙 阻止出站 连接将减少使用远程文件共享的危险。

Workarounds
变通办法
Workaround refers to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
变通办法是指一 种设置或配置更改不正确的基本问题，但将有助于阻止已知的***向量，然后再应用此更新。 Microsoft已测试以下变通办法的讨论和各国是否有解决办法降低功能：

•Disable the displaying of icons for shortcuts
禁用显示为快捷 方式的图标

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

注意：使用注册表编辑器不当可导致严重问题，可能需要重新安装操作系统。 Microsoft不能保证能够解决因为注册表编辑器的不正确使用而产生的问题。使用注册表编辑器需要您自担风险。有关如何编辑注册表，查看“更改项 和值”帮助在注册表编辑器（Regedit.exe）中的主题或查看RegEdt32中的“添加和删除注册表中信息”和“编辑注册表数据”帮助主题的信息。

1.Click Start, click Run, type Regedit in the Open box, and then click OK

2.Locate and then click the following registry key:

HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler

3.Click the File menu and select Export

4.In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save

Note This will create a backup of this registry key in the My Documents folder by default
这将创建一个默认情况下注册表项的备份文件夹

5.Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
选择在编辑器中 Registy右边窗口中的值（默认）。按下Enter键，编辑键的值。删除值，所以该值是空 白，并按下回车键。

6.Restart explorer.exe or restart the computer.
重新启动Explorer.exe或重新启动 计算机。

Impact of workaround.Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.
当此解决方案实施后，快捷方式文件和IE浏览器的快捷方式将不再有一个图标显示。就是说，快捷方式仍然可用，但快捷方式的图标不可见。

•Disable the WebClient service
禁用WebClient服务

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

禁用WebClient服务有助于防止有人企图利用阻止通过网络远程***最有可能受影响 的系统矢量此漏洞的分布式创作和版本控制（WebDAV）客户端服务。在应用此解决方案，它仍然是对谁成功利用此漏洞的远程***者可能导致Microsoft Office Outlook来对目标用户的计算机或局域网（LAN）上位于运行程序，但用户将被提示进行确认，然后才开启从互联网上任意程序。

To disable the WebClient Service, follow these steps:

1.	Click Start, click Run, type Services.msc and then click OK.
2.	Right-click WebClient service and select Properties.
3.	Change the Startup type to Disabled. If the service is running, click Stop.
4.	Click OK and exit the management application.

Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.
变通办法的影 响。当WebClient服务被禁用，Web分布式创作和版本控制（WebDAV）的请 求不会传染。此外，对任何服务，明确依赖Web客户端服务将无法启动，并且错误消息将被记录在系统日志中。例如，将无法访问WebDAV的股份 从客户端计算机。

How to undo the workaround.

如何撤消变通方法。

To re-enable the WebClient Service, follow these steps:
要重新启用WebClient服务，请按照下 列步骤：

1.	Click Start, click Run, type Services.msc and then click OK.
2.	Right-click WebClient service and select Properties.
3.	Change the Startup type to Automatic. If the service is not running, click Start.
4.	Click OK and exit the management application.

文章来源：http://www.microsoft.com/technet/security/advisory/2286198.mspx
以上内容为Google翻译处理结果

有关漏洞利用方式的讨论，请参考
http://hi.baidu.com/singlestudio/blog/item/f7fda22a781aba20d42af131.html

这个漏洞风险很大，被恶意利用时，看一眼恶意软件所在的文件夹，就会中毒。

第一感觉，VBS.KJ那个该死的病毒传播方法又回来了。几年前，VBS.KJ利用生成desktop.ini和folder.htt文件(这两个文件控制了文件夹在资源管理器中的显示)，不需要双击病毒，仅看一眼就会中毒。

现在这个新的漏洞，利用方式和VBS.KJ极其想像，预计，利用这个漏洞的病毒会影响很多人的机器，祈祷微软早点出补丁。金山毒霸安全实验室还在密切关注中，不排除提供应急补丁的可能性。