Fixing Shortcut Link Vuln in Win XP SP 2

Talk about internet security, computer security, personal security, your social security number...
Post Reply
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Fixing Shortcut Link Vuln in Win XP SP 2

Post by Tom T. » Sat Aug 14, 2010 3:48 am

Many XP users, including Steve Gibson, have found that installing XP's Service Pack 3 breaks their machines. Also, the official advice from Tech Support of this writer's OEM (Toshiba) is *not* to install SP3, and they do *not* support it.

Support for XP SP2 was officially discontinued after the July Patch Tuedsay update, the last one for SP 2. However, the Windows Shortcut Link Vulnerability, a critical remote-code-execution vuln, affects all Windows OSs of the past ten years, back to Windows 2000.

No known cure for Win 2k yet. However, *unofficially*, there is a fix for Win XP SP 2. It seems that Windows XP Embedded SP 2 will still be supported through at least January 11, 2011. And it seems that the installer for the patch for that system also runs on desktop SP2. MS installers are usually very fussy about compatibility -- try downloading and running the "regular" SP3 patch on your SP 2 system; message: "Setup has detected that your Service Pack Version is too low. You need at least SP3 blah blah..." So, the fact that the Embedded patch successfully runs on SP2 Home is a good sign.

The official link is http://www.microsoft.com/downloads/deta ... 476086e7ca , although Gibson created a snip link, http://snipurl.com/linkme , which is easier to remember, copy, send to friends, etc. Same landing page.

Your faithful guinea pig (moi) tested this - after creating a full-disk-image backup, of course. Installs fine; machine runs fine.

Results: the affected file, C:\windows\system32\shell32.dll, is updated from v.6.00.2900.3402 to xxx.3736, with the update timestamp July 27, 2010, from the previous April 2010. Success.

The "official" MS Update, for SP3, shows a v. of xxx.6018. Concern? No, it wouldn't be unusual for different SPs to have different file versions. Proof:
"C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}" now contains a digitally-signed Security Catalog with this number, KB2286198.cat.

Also, in ultra-hidden C:\Windows\$hf_mig$ , there's a folder by that KB number. Opening sub-folder SP3GDR (General Development Release? I think?, i. e., for supported versions) shows a copy of the version listed in the "supported", standard Update, shell32.dll v.6.00.2900.6018 (for SP3), yet it also has a folder, SP2QFE, (Quick Fix Engineering, a suffix for "hotfixes" that are issued pending a fully-tested, full-release patch, or otherwise indicating "special situation" patches that are not part of general Updates and Auto-Updates) indicating that it was fully intended for SP2, and with the version number matching that in system32\shell32.dll, xxx.3736. Voila, Q.E.D.

So it is in fact updated, with the same timestamp as the SP3 version. I've been trying to find a "tester" (a place that benignly demonstrates whether a certain exploit will run on your machine), and so has Gibson, but based on this info, I consider it fixed. If anyone finds a benign POC, please post a reply.

"Updates to Windows XP Embedded are available as Quick Fix Engineering (QFE) updates. QFE is a Microsoft term for the delivery of individual service updates to products. You should routinely check the QFE webpage and keep your Windows XP Embedded system up to date."

Uh, no, thanks. That's a developer site and has zillions of updates for dev tools. So, we need to figure out the algorithm to translate future SP3 updates to SP 2 Embedded page. Good idea to reproduce this yourself for practice:

Go to support.microsoft.com/search
temporarily allow scripting from support.microsoft.com
advanced search, click "show more search options".
enter the six- or seven digit KB number from the "regular" update, i. e. 2286198 in this case.
On what product? Bottom of drop-down = "More products". (WOW, they have a lot of products!)
From alpha list, choose "Windows XP Embedded"
Where do you want to search? Uncheck the three sub-categories of MS Support Content. Check "Search Microsoft.com" only. (make sure the 226- number is still in the search box.)
Click "Search" at the bottom.

The top result has the link to this patch.

Let's hope that future ones are this easy.

For the heck of it, tried it with the Kernel vuln, 981852 , not that I would have installed it anyway, and it properly showed no results, as an embedded system clearly has a much different, and smaller, kernel than a desktop system. Not remotely exploitable anyway, so not concerned here.

Shout-out to Steve Gibson for finding this:
HQ podcast
Low-bandwidth podcast
.pdf
HTML page
Text document I find them easier to read if you go to the main security-broadcast page, http://www.grc.com/SecurityNow.htm , and click to "Save as.. " and download the text file. Opens much more neatly with your own Notepad or whatever than the direct Web link. This is "Episode #261, 12 Aug 2010".

DISCLAIMER: THIS ADVICE IS NOT OFFICIALLY ENDORSED NOR SUPPORTED BY MICROSOFT OR ANYONE ELSE, INCLUDING THIS FORUM OR THIS WRITER. POSTED IN THE HOPE THAT IT MAY BE OF SOME USE TO SOME USERS, BUT WITH NO GUARANTEES, EXPRESS OR IMPLIED, AND NO LIABILITY. BE SURE FIRST TO MAKE A FULL-DISK-IMAGE BACKUP, OR AT LEAST A SYSTEM RESTORE POINT ("regular" MS updates make their own RPs, but I don't know whether embedded systems have System Restore -- doubt it - and I don't have it, either, in favor of full-disk backups.)

POSTED "AS-IS". USE AT YOUR OWN RISK, OR DO NOT USE THIS MATERIAL AT ALL.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Fixing Shortcut Link Vuln in Win XP SP 2

Post by dhouwn » Sat Aug 14, 2010 10:43 am

Tom T. wrote:No known cure for Win 2k yet. However, *unofficially*, there is a fix for Win XP SP 2. It seems that Windows XP Embedded SP 2 will still be supported through at least January 11, 2011.
Is it because the SP3 for XPe was released months after the SP3 for classic XP? The same is probably also the case for WinFLP.

Just wondering, what will you do after this patch stream dries up? IMHO, you should then try get ahold of an untouched XP image with integrated SP3, modify it for your OEM activation needs and do a clean install (after deleting all partitions including any potential 'recovery' partitions by your OEM).
Mozilla/5.0 (Windows; Windows NT 6.1; WOW64; rv:2.0b3) Gecko/20100805 Firefox/4.0b3

User avatar
therube
Ambassador
Posts: 7528
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Fixing Shortcut Link Vuln in Win XP SP 2

Post by therube » Sat Aug 14, 2010 1:43 pm

Stop fighting it. Install SP3 & be done with it.

Specific situation where SP3 won't work, then you do what you can do.

> you should then try get ahold of an untouched XP image with integrated SP3, modify it for your OEM activation needs and do a clean install

I'm investigating that right now (though not because of SP3 reasons).

My thought is that taking a retail XP Home SP3, modifying SETUPP.INI should work. It does accept the key from the label on the computer case, though I haven't tried to validate it yet.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; rv:2.0b4pre) Gecko/20100813 SeaMonkey/2.1a3pre

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Fixing Shortcut Link Vuln in Win XP SP 2

Post by Tom T. » Sat Aug 14, 2010 8:53 pm

dhouwn wrote:
Tom T. wrote:No known cure for Win 2k yet. However, *unofficially*, there is a fix for Win XP SP 2. It seems that Windows XP Embedded SP 2 will still be supported through at least January 11, 2011.
Is it because the SP3 for XPe was released months after the SP3 for classic XP?
.
You're asking *me* how *Microsoft* thinks? :?:
dhouwn wrote:Just wondering, what will you do after this patch stream dries up?

Guess I've already faced that decision when the announcement was made several months ago to end support for SP2. Which was, "wait and see".
The announced "end of sale" of *all* XP was delayed twice, due to customer demand and the monstrous flop of Vista (23% Vista, 69% XP, as of Win 7's release.)
Given that there are literally million of users who can't use SP3, let's see what happens in January 2011.

I think there could be a good niche marketing an OS that's been vetted for nine years, longest availability of *any MS OS ever* (incl. DOS), for less affluent consumers and nations, using lower-end hw. But they didn't ask me. :o
dhouwn wrote:IMHO, you should then try get ahold of an untouched XP image with integrated SP3,

"Get ahold of"? Do you mean, "buy", "pirate", "counterfeit", "crack", or what? :?
dhouwn wrote:modify it for your OEM activation needs and do a clean install (after deleting all partitions including any potential 'recovery' partitions by your OEM).

It's more than "activation needs". You have special drivers for the various hw, etc.... OEM images are custom-made by each OEM, often differ from model to model, and can be *very* different from a retail disk ... And even if this writer could do so, what about all the zillions of average home users who can't?
therube wrote:Stop fighting it. Install SP3 & be done with it.
Specific situation where SP3 won't work, then you do what you can do.

There are some things in SP3 I don't *want* (like IE 8, probably uninstallable, though I've uninstalled most of the IE 6 that came with this, including the executable itself). And some things I don't *like* -- like the fact that they don't readily tell you what's in it, only a rollup "plus some other items that should not significantly change the user experience". I don't trust MS updates even when they label them -- they each get vetted individually. I'm not installing something if I don't know what's in it.

It's flat hosed some machines. Gibson was lucky enough to be able to uninstall it with Add/Remove, reverting to SP2, (and I'd have a full-disk-image backup), but others have had to reinstall Win from scratch.

We're overlooking the fact that the OEM *does not support* SP3, or that cracked retail version, or whatever, so the extended warranty on one machine would be invalidated.

Another issue: Having spent parts of the last two years trimming XP's Windows folder from about 4 GB to <150 MB], I'd really rather not go through that again -- *especially* since SP 3 introduces dependencies that SP 2 doesn't have. E. g., IE 7 adds files, which then become required *for other OS functions*, that IE 6 doesn't have. And who knows what else? It's be the same trial-and-error process all over again. Uh, no, thanks. :?
therube wrote:I'm investigating that right now (though not because of SP3 reasons).

My thought is that taking a retail XP Home SP3, modifying SETUPP.INI should work. It does accept the key from the label on the computer case, though I haven't tried to validate it yet.

The results will be interesting. If you post them somewhere other than this thread, maybe put a shadow copy or link at this thread, so both this writer and others with the same attachment to SP2 will be sure to see them?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Fixing Shortcut Link Vuln in Win XP SP 2

Post by dhouwn » Sat Aug 14, 2010 10:22 pm

Tom T. wrote:"Get ahold of"? Do you mean, "buy", "pirate", "counterfeit", "crack", or what? :?
If you happen to be Technet subscriber you get access to the web interface with the links to the CD (or floppy ;)) images of nearly every Windows version.

It's more than "activation needs". You have special drivers for the various hw, etc....
Backuping drivers and eventually integrating it into the image might be a good idea. Drivers that work on SP2 should also work on SP3 in most cases (the only exception to this I've seen, was a driver for the specialised buttons which was tightly bound to the more or less useful 'tools' the OEM offered and which refused to run on service pack versions they were not 'tested' on).

OEM images are custom-made by each OEM, often differ from model to model, and can be *very* different from a retail disk ...
[rant]Yeah, but in any case full with trial software, out-of-date drivers and OEM-own system 'tools' that are often adware and always quite limited in their usefulness.[/rant]

And even if this writer could do so, what about all the zillions of average home users who can't?
They should contact their nearest nerd of course. Also, there are quite some nicely-UIfied tools for modifying the image files of their Microsoft OS, making it possible to integrate drivers, updates and to remove some ballast.

There are some things in SP3 I don't *want* (like IE 8, probably uninstallable
IE8 is not part of SP3 and actually an IE update has never been part of any service pack. I guess people get this misconception because newer IE versions are automatically downloaded and installed if the automatic update function is on (which I am quite happy about). It is not really uninstallable BTW.

And some things I don't *like* -- like the fact that they don't readily tell you what's in it, only a rollup "plus some other items that should not significantly change the user experience".
Many executables and libraries were compiled with a newer compiler version, giving it a minor speed boost. It updates WSH (making IE6 less leaky and the JS hacker in me happier) and has some quite useful new libraries included like XMLLite and one for Imaging.

I don't trust MS updates even when they label them -- they each get vetted individually. I'm not installing something if I don't know what's in it.
Well, as long as you don't insist on compiling them yourself… ;)

It's flat hosed some machines.
Yeah, I heard about it, the issue with the AMD driver on non-AMD machines (which was only possible due to the carelessness of the OEM).

We're overlooking the fact that the OEM *does not support* SP3, or that cracked retail version, or whatever, so the extended warranty on one machine would be invalidated.
Surely not on the hardware and that's what counts IMHO (otherwise there would be option of just replaying the original Image before bringing to the service).

therube wrote:My thought is that taking a retail XP Home SP3, modifying SETUPP.INI should work. It does accept the key from the label on the computer case, though I haven't tried to validate it yet.
Nah, AFAIK you need to modify/add more than one file (for example one that matches the specific OEM identification in your BIOS).
Mozilla/5.0 (Windows; Windows NT 6.1; WOW64; rv:2.0b3) Gecko/20100805 Firefox/4.0b3

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Fixing Shortcut Link Vuln in Win XP SP 2

Post by GµårÐïåñ » Mon Aug 16, 2010 4:26 pm

Actually it is quite easy to make your own OEM SP3 disk. If you have an OEM XP disk, then just download the admin/distribution copy of the SP3 and then simply slipstream it into the original image, re-burn to disk an voila you are a proud owner of an OEM XP SP3. If you google it you will find a million instructions on how to do it, or if you want you can ask me and I will post step by step instructions. I have had a volume original XP which I got back in 2001 or so, it doesn't need activation and since then I have made my own SP1, SP2, SP3 disks with that original image and I have never had a problem and its very easy to do. Time consuming and space consuming while you make it, YES, difficult, NO.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/Gecko/Firefox

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Fixing Shortcut Link Vuln in Win XP SP 2

Post by Tom T. » Tue Aug 17, 2010 1:15 am

GµårÐïåñ wrote:Actually it is quite easy to make your own OEM SP3 disk. [snip].

Thanks for the information, my friend, but as I tried to make clear, I don't *want* SP3, and my OEM doesn't think I should have it, either. Nice to see you here, though. :D
dhouwn wrote:If you happen to be Technet subscriber you get access to the web interface with the links to the CD (or floppy ;)) images of nearly every Windows version.

I don't know how much it costs to be a Technet subscriber, but I'm sure they don't intend for people to have full access to burn Win CDs and sell them. Would still require activation key, surely. Also, see above. I *don't want* SP3.
dhouwn wrote:[rant]Yeah, but in any case full with trial software, out-of-date drivers and OEM-own system 'tools' that are often adware and always quite limited in their usefulness.[/rant]

Agree completely. But if they set it up so that your hw *requires* their files ... One example: In %windir%\inf, there are *thirty-one* custom .inf files, called oem0.inf, oem1.inf .... oem30.inf. I don't intend to read all thirty-one -- they range from a few k to almost a Mb -- and see which ones I might have to add to a retail disk, nor to do it by trial and error, nor to see which ones are *modified* versions of the retail .infs.
I've sort of covered this with Tech Support. A "recovery disk" for one model is good for that model, period. E. g. disk for Satellite 1600 won't work on Satellite 1650. Even in the same model family. Agree with rant, but that's the way it is, and it would be a huge obstacle to modifying a retail image, which I don't want to do, because I don't want -- oops. already said that (twice, I think.)
Tom T. wrote:And even if this writer could do so, what about all the zillions of average home users who can't?

dhouwn wrote:They should contact their nearest nerd of course. Also, there are quite some nicely-UIfied tools for modifying the image files of their Microsoft OS, making it possible to integrate drivers, updates and to remove some ballast.

The first idea was the best, assuming that they know one and that they know that they need one. Otherwise, I'm afraid that like most techies I've talked with, your view of the Average Home User is very distant from reality. (Go to big store. Buy. Take home. Plug in. Done.) 80% of NS downloaders eventually uninstall it, or at least allow JS globally, because it's "too complicated" or "too much trouble'". And this is the Venn subset of all people who know enough to know about NoScript, which is a subset (small) of all Fx users, which is a subset (gaining ground) of those who know that IE is not the safest browser around -- or who even have any idea that the Net holds dangers.
dhouwn wrote:Many executables and libraries were compiled with a newer compiler version, giving it a minor speed boost. It updates WSH (making IE6 less leaky and the JS hacker in me happier) and has some quite useful new libraries included like XMLLite and one for Imaging.

I got a *major* speed boost by deleting 93% of it. As OP said, don't want to go through that again, and I'm sure it overshadows their "minor" speed boost.
WSH: Windows Sockets Helper, in which case, might be useful? Or Windows Script Host, long gone from this machine?
Makes IE 6 less leaky? Who cares? Haven't used IE in more than a year, and never intend to use it again. As mentioned in OP, it, too, is long gone from this machine.
It's flat hosed some machines.

Yeah, I heard about it, the issue with the AMD driver on non-AMD machines (which was only possible due to the carelessness of the OEM).

It's far more than that. Scroogle it. (who uses Google anymore, if they're remotely tech-aware and/or privacy-sensitive?) Steve Gibson didn't say anything about any AMD issues.
We're overlooking the fact that the OEM *does not support* SP3, or that cracked retail version, or whatever, so the extended warranty on one machine would be invalidated.

Surely not on the hardware and that's what counts IMHO (otherwise there would be option of just replaying the original Image before bringing to the service).

Good point about the hw, and *almost* a good idea. Bringing it in with an OOB recovery-disk version is going to look verrrrry suspicious; you'd have to spend a lot of time installing some stuff and making it look used. And they might claim that improper sw can harm the hw, or just stand on the fine print that the machine's factory files were altered in a manner unsupported by them or by MS.

I appreciate your time and thought on this, but the purpose of the post was to let others like me, who *want* to stay on SP2, for whatever crazy, insane, or idiotic reasons, know that there was a way to fix the OS-centric, critical-severity .LNK vuln. Cheers.
Last edited by Tom T. on Tue Aug 17, 2010 1:18 am, edited 1 time in total.
Reason: fix typo
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Fixing Shortcut Link Vuln in Win XP SP 2

Post by GµårÐïåñ » Tue Aug 17, 2010 7:27 am

Tom T. wrote:Thanks for the information, my friend, but as I tried to make clear, I don't *want* SP3, and my OEM doesn't think I should have it, either. Nice to see you here, though. :D


My brother, I assure you that _I_ understood what you were saying. My comment was more directed towards all the other untouched this, hacked that and so on, and saying that its very easy to make. Think of it as a PSA or the last word to get it back on topic. I know what you said, I read your post, and I understood it and moreover I know exactly what you were trying to say and I respect that and the fact that you found a way through it without having to succumb to SP3. You certainly achieved it without the bloat. It is good to see you as well my friend, I hope to be around more and wish you the same. Now, sorry for the interruption, I will bow out and leave you to the topic at hand.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
mozilla/5.0 (windows; u; windows nt 6.1; en-us)

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Fixing Shortcut Link Vuln in Win XP SP 2

Post by Tom T. » Wed Aug 18, 2010 8:43 pm

@ Guardian: I think the topic is done -- those with SP 2 have their fix. ;)
Good job on simplifying the other process for others, though. :ugeek:
Talk soon, here or you-know-where. Salud, dinero, y amor - Tom.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Fixing Shortcut Link Vuln in Win XP SP 2

Post by GµårÐïåñ » Thu Aug 19, 2010 2:34 am

Tom T. wrote:@ Guardian: I think the topic is done -- those with SP 2 have their fix. ;)
Good job on simplifying the other process for others, though. :ugeek:
Talk soon, here or you-know-where. Salud, dinero, y amor - Tom.


Yes they do indeed, good job for the update, well done. Thank you, I try my best, and I will be updating my FAQ page which I maintain that contains informational tutorials like this. For now its on my blog but I will be gathering them back in one place again soon. I have to update the infrastructure for it, soon enough. Yes, here and and I know where ;)
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

Post Reply