In a couple of recent blogs, I’ve been reporting about a particularly nasty strain of malware based on a Windows Shell Vulnerability that affects all desktop versions of Windows from 2000 through 7, and all Server versions from 2000 to 2008 R2:
- 7/29/2010: Vulnerability in Windows Shell could allow remote code execution
- 8/2/2010: Windows Shell Vulnerability to Get Emergency Update Today
Turns out that this is a particularly nasty strain of malware that served, for example, as the underlying attack vector for the StuxNet worm that has been successfully used to penetrate numerous Siemens-designed power plants using Windows-based SCADA systems. Even more troubling, this original implementation (which featured rootlet functionality and ran as signed code, indicating a sophisticated attacker at work), has been imitated successfully by less sophisticated malefactors and “…is likely to become a mainstay of malware distribution techniques…” according to Eset researcher Pierre-Marc Bureau of ESET (quoted in Sherman Hand’s prescient 7/23/2010 story entitled “Unpatched Shortcut Vulnerability Exploited by Malware“).
Interestingly, Eset antivirus is one of a number of packages that attempt to block the installation of KB2286198 (the emergency update released on 8/2/2010 by Microsoft) which is designed to counter this very threat. Reports from the field indicate that several AV or malware protection packages may block or mangle application of this update. Current recommendations are to download the patch, disconnect the PC to be patched from the network, disable the AV or other security software in use, apply the patch, then reverse the process to restore the machine to normal operation.
Some users have also reported that they cannot access their most recent restore points as they seek to undo the damage that can result from failed or incomplete application of the KB2286198 patch. In those cases, booting from a system repair disk, a bootable Windows 7 install UFD, or the original Windows 7 DVD provides access to that restore point, after which the system can be returned to its presumably pristine (or at least working) state prior to initial attempts to apply the update.
Then by following the recommended steps (disconnect from network, disable security software, apply update, re-enable security software, reattach to network) the patch can be applied successfully.