Vulnerability in Windows Shell could allow remote code execution

Thanks to Paul Thurrot’s SuperSite for turning me on to a serious Windows vulnerability related to the same shell shared by “… all modern Windows versions from Windows XP through7, including all Server versions…” There’s also a July 21, 2010 Microsoft Security Advisory (2286198) that explains this issue available, that’s probably worth reading, too.

Here’s the 10,000 foot view: a Belarussian security firm named VirusBlokAda reported its discovery on June 17 that Windows passes shortcuts in such as way as to enable malicious code to be executed when the icon for a specially-crafted shortcut gets displayed (the code is attached to the icon image, so that processing the image for display also causes the attached code to run). Microsoft plans to issue a fix on the August Patch Tuesday (8/9/2010) but the Security Advisory includes a workaround that may be applied in the iterim. Basically it strips all shortcuts of their icons (no display, no possibility of running malicious code: get it?) so that users enjoy security from this vulnerability at the cost of little white boxes for shortcuts instead of pretty icons.

In testing the workaround on my Windows 7 x64 test machine I also encountered the new Microsoft Fix It facility, which applied the patch (and gave me access to a reverse the fix tool as well). Pretty interesting stuff, and I expect to see it used more often as Microsoft steps up its proactivity in dealing with security glitches in advance of published updates, as in this case. Kewl!

As an aside, I personally hate shortcuts and always opt to keep them off my desktop in 99 out of 100 cases. Who knew that what I thought was an esthetic foible could turn out to be a best security practice?