| FNAL Critical Vulnerability Platform: Microsoft Windows XP**, Windows Server 2003, Windows 2008, Vista, Windows 7 Product: MS10-046 Vulnerability in Windows Shell .LNK Handling (2286198) Exploitation: Users may be presented a 'shortcut' file from an email, web page or embedded in a document. Subsequent parsing of the shortcut file can result in the execution of malicious code. Patch URL: FNAL SMS, FNAL WSUS, http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx Declaration date: August 2, 2010 Patch By*: Friday, August 13, 2010 (date may be moved up if public exploits become widespread, activity is found at FNAL or other attack avenues are reported) A vulnerability has been reported and patched by Microsoft affecting the way Windows shortcut files (.lnk) are interpreted. A user may inadvertently download a malicious .lnk file from an email, visiting a web site, inserting infected removable media or from infected documents. Once a user uses the File Manager to navigate to the local copy of the .lnk file or otherwise tries to interpret the file, malicious code may be executed with the current user privileges to compromise the machine. Current antivirus should be catching the current variant of this attack which has been already detected in multiple viruses. All affected Windows systems** must be patched by Friday, August 13, 2010. This date may be moved up if required. Microsoft reference URL: http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx * Note that patches should automatically be applied by your desktop support staff through normal patching mechanisms. As a last resort, you can also visit Windows Update to have the patches applied, or visit the Microsoft URL above and manually download/install the patch for your operating system. ** There are no patches available for pre-Windows XP SP3. If your machine is running XP Service Pack 2 or lower, you will need to first upgrade to Service Pack 3. |
|
For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by JK on Oct 23, 2008. (Address comments about page to the Computer Security Team.) |