July 23rd, 2010, 03:04 PM
ZIIIING... Sorry but i find this very very very very amusing.
Originally Posted by SnugglesTheBear
July 23rd, 2010, 05:08 PM
Upon reading http://www.microsoft.com/technet/sec...y/2286198.mspx, the link states the following under the faq and I quote "How could an attacker exploit the vulnerability?
Originally Posted by The-Spec
An attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the victim system.
An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents). "
I do believe the attack I describe fits within the scope of the second paragraph.
Last edited by SnugglesTheBear; July 23rd, 2010 at 05:30 PM.
July 23rd, 2010, 05:15 PM
*runs to get popcorn*
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
July 23rd, 2010, 08:24 PM
LOL, am I the only one pissing myself laughing? Come on, people have been bashing Microsoft for security since... Well, long before I came along to take the torch and haz burnination lol.
Remember when you had to actually open an email, download the attachment, and then run the thing the idiot who sent it to you named "Yea suck on this *******.exe" lol.
Good times... Apparently you can't even double click anymore! Oh no! I wonder if Apple will make some more of those idiotic ads they love so much about how Mac's only have one button and that might make them safer. And of course how "PC" was always sick with a virus and told Mac to get away and he'd be a jack ass and say he couldn't be infected. Man these people....
July 25th, 2010, 01:09 PM
Its not something that would "show up on a web page". And when you connect to shared directorys in IE it uses the default icons associated with these files. Browsers haven't automaticly opened word documents and pdf files since 1998.
Why try to up-play this to the point of outright lies?
July 26th, 2010, 01:43 PM
I'd like extra butter on mine, Westin!
If you are a M$ shop and you host your Exchange server and your Domain is 2000 or above (If you're still NT then stop reading and go out back and quietly shoot yourself)
This statement should be true even if you learned networking from Jim Bobs School of Networking and Fish and Tackle Supplies:
It is impossible to send .lnk files in email and when you insert any removable drive or a CD/DVD into a computer NOTHING HAPPENS. (Cause autorun is disabled)
AD Policies people - AD Policies.
Yea and screw the home user. You picked up the road apple you clean it up.
July 26th, 2010, 04:27 PM
Maybe I was not clear on how the attack would execute and thus the source of the argument. >.< What I was trying to state was that a malicious website has the victim download unknowingly two components onto the victims machine, the .exe and the .lnk. When the victim navigates(or in some circumstances if the browser automatically opens up the folder) to his/her downloads folder or wherever they put it, the .lnk exploit will trigger and then the malicious .exe will execute. :/
July 26th, 2010, 04:55 PM
I am sure this can be mitigated by not running\browsing\surfing as administrator....
the .lnk exploit will trigger and then the malicious .exe will execute. :/
How people treat you is their karma- how you react is yours-Wayne Dyer
July 27th, 2010, 12:26 AM
Oh good! So only 99% or so of people are at risk as opposed to.. Oh... And, you know, pre-Windows 7 default installations having the Admin account logged in by default without any password whatsoever, and no user adding panel like other OSs, and the general "If you don't want to browse as admin, or do anything like that, well, you CAN do it, but since 99% of you in the Home Computer Market have no idea why, or how, a Computer works, or why, or how, you shouldn't do this, and instead of trying, we'll make the ADMIN account, log in not only as the default account, we won't put a password on that either, and if you do want to, all you have to do is get into the user and account area of Control Panel, and set a password, and make a user for yourself that isn't admin, even though you type your normal name to log in and..."....
Originally Posted by morganlefay
I can't imagine more than 2 or 3 people out of 3,000 even getting through half of that without saying screw it and leaving it alone.
I brought this up already and pointed it out, but just because Windows CAN be locked down, doesn't mean it is, and auto log in, though neat for those who don't care about a password.... It works great on Linux, where the Root account isn't the default by any means, and you have to add a non root user, and then you can have THAT account auto log in...
It's not that Auto Login is a terrible idea, I know why people like it, they don't have to do anything! It's like those days of Windows 9X where clicking on Cancel would let you in just as well as the password.... (Remember Profiles? Lol)....
In other words, sure, for those of us who know what we're doing with a Computer, this thing is probably crap, but for literally more than 90% of the Home Users? Pffft.
If the solution was as simple as "Well don't use the admin account" you'd be out of a job.
July 27th, 2010, 02:25 AM
Its still dog doo-doo when it comes to permissions though. Your allowed to read, execute, and write (but not modify) almost anything you want as nobody. Under a guest account in windows your not given write access to anything at all.
By s3nate in forum Operating Systems
Last Post: July 20th, 2004, 10:32 AM
By Cybr1d in forum Miscellaneous Security Discussions
Last Post: June 10th, 2004, 12:09 AM
By DeadAddict in forum Other Tutorials Forum
Last Post: November 18th, 2003, 12:20 PM
By TheFiend in forum Miscellaneous Security Discussions
Last Post: June 14th, 2003, 11:08 PM
By qwerty_smith in forum Microsoft Security Discussions
Last Post: February 5th, 2003, 08:41 PM