Fixing Shortcut Link Vuln in Win XP SP 2
Posted: Sat Aug 14, 2010 3:48 am
Many XP users, including Steve Gibson, have found that installing XP's Service Pack 3 breaks their machines. Also, the official advice from Tech Support of this writer's OEM (Toshiba) is *not* to install SP3, and they do *not* support it.
Support for XP SP2 was officially discontinued after the July Patch Tuedsay update, the last one for SP 2. However, the Windows Shortcut Link Vulnerability, a critical remote-code-execution vuln, affects all Windows OSs of the past ten years, back to Windows 2000.
No known cure for Win 2k yet. However, *unofficially*, there is a fix for Win XP SP 2. It seems that Windows XP Embedded SP 2 will still be supported through at least January 11, 2011. And it seems that the installer for the patch for that system also runs on desktop SP2. MS installers are usually very fussy about compatibility -- try downloading and running the "regular" SP3 patch on your SP 2 system; message: "Setup has detected that your Service Pack Version is too low. You need at least SP3 blah blah..." So, the fact that the Embedded patch successfully runs on SP2 Home is a good sign.
The official link is http://www.microsoft.com/downloads/deta ... 476086e7ca , although Gibson created a snip link, http://snipurl.com/linkme , which is easier to remember, copy, send to friends, etc. Same landing page.
Your faithful guinea pig (moi) tested this - after creating a full-disk-image backup, of course. Installs fine; machine runs fine.
Results: the affected file, C:\windows\system32\shell32.dll, is updated from v.6.00.2900.3402 to xxx.3736, with the update timestamp July 27, 2010, from the previous April 2010. Success.
The "official" MS Update, for SP3, shows a v. of xxx.6018. Concern? No, it wouldn't be unusual for different SPs to have different file versions. Proof:
"C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}" now contains a digitally-signed Security Catalog with this number, KB2286198.cat.
Also, in ultra-hidden C:\Windows\$hf_mig$ , there's a folder by that KB number. Opening sub-folder SP3GDR (General Development Release? I think?, i. e., for supported versions) shows a copy of the version listed in the "supported", standard Update, shell32.dll v.6.00.2900.6018 (for SP3), yet it also has a folder, SP2QFE, (Quick Fix Engineering, a suffix for "hotfixes" that are issued pending a fully-tested, full-release patch, or otherwise indicating "special situation" patches that are not part of general Updates and Auto-Updates) indicating that it was fully intended for SP2, and with the version number matching that in system32\shell32.dll, xxx.3736. Voila, Q.E.D.
So it is in fact updated, with the same timestamp as the SP3 version. I've been trying to find a "tester" (a place that benignly demonstrates whether a certain exploit will run on your machine), and so has Gibson, but based on this info, I consider it fixed. If anyone finds a benign POC, please post a reply.
"Updates to Windows XP Embedded are available as Quick Fix Engineering (QFE) updates. QFE is a Microsoft term for the delivery of individual service updates to products. You should routinely check the QFE webpage and keep your Windows XP Embedded system up to date."
Uh, no, thanks. That's a developer site and has zillions of updates for dev tools. So, we need to figure out the algorithm to translate future SP3 updates to SP 2 Embedded page. Good idea to reproduce this yourself for practice:
Go to support.microsoft.com/search
temporarily allow scripting from support.microsoft.com
advanced search, click "show more search options".
enter the six- or seven digit KB number from the "regular" update, i. e. 2286198 in this case.
On what product? Bottom of drop-down = "More products". (WOW, they have a lot of products!)
From alpha list, choose "Windows XP Embedded"
Where do you want to search? Uncheck the three sub-categories of MS Support Content. Check "Search Microsoft.com" only. (make sure the 226- number is still in the search box.)
Click "Search" at the bottom.
The top result has the link to this patch.
Let's hope that future ones are this easy.
For the heck of it, tried it with the Kernel vuln, 981852 , not that I would have installed it anyway, and it properly showed no results, as an embedded system clearly has a much different, and smaller, kernel than a desktop system. Not remotely exploitable anyway, so not concerned here.
Shout-out to Steve Gibson for finding this:
HQ podcast
Low-bandwidth podcast
.pdf
HTML page
Text document I find them easier to read if you go to the main security-broadcast page, http://www.grc.com/SecurityNow.htm , and click to "Save as.. " and download the text file. Opens much more neatly with your own Notepad or whatever than the direct Web link. This is "Episode #261, 12 Aug 2010".
DISCLAIMER: THIS ADVICE IS NOT OFFICIALLY ENDORSED NOR SUPPORTED BY MICROSOFT OR ANYONE ELSE, INCLUDING THIS FORUM OR THIS WRITER. POSTED IN THE HOPE THAT IT MAY BE OF SOME USE TO SOME USERS, BUT WITH NO GUARANTEES, EXPRESS OR IMPLIED, AND NO LIABILITY. BE SURE FIRST TO MAKE A FULL-DISK-IMAGE BACKUP, OR AT LEAST A SYSTEM RESTORE POINT ("regular" MS updates make their own RPs, but I don't know whether embedded systems have System Restore -- doubt it - and I don't have it, either, in favor of full-disk backups.)
POSTED "AS-IS". USE AT YOUR OWN RISK, OR DO NOT USE THIS MATERIAL AT ALL.
Support for XP SP2 was officially discontinued after the July Patch Tuedsay update, the last one for SP 2. However, the Windows Shortcut Link Vulnerability, a critical remote-code-execution vuln, affects all Windows OSs of the past ten years, back to Windows 2000.
No known cure for Win 2k yet. However, *unofficially*, there is a fix for Win XP SP 2. It seems that Windows XP Embedded SP 2 will still be supported through at least January 11, 2011. And it seems that the installer for the patch for that system also runs on desktop SP2. MS installers are usually very fussy about compatibility -- try downloading and running the "regular" SP3 patch on your SP 2 system; message: "Setup has detected that your Service Pack Version is too low. You need at least SP3 blah blah..." So, the fact that the Embedded patch successfully runs on SP2 Home is a good sign.
The official link is http://www.microsoft.com/downloads/deta ... 476086e7ca , although Gibson created a snip link, http://snipurl.com/linkme , which is easier to remember, copy, send to friends, etc. Same landing page.
Your faithful guinea pig (moi) tested this - after creating a full-disk-image backup, of course. Installs fine; machine runs fine.
Results: the affected file, C:\windows\system32\shell32.dll, is updated from v.6.00.2900.3402 to xxx.3736, with the update timestamp July 27, 2010, from the previous April 2010. Success.
The "official" MS Update, for SP3, shows a v. of xxx.6018. Concern? No, it wouldn't be unusual for different SPs to have different file versions. Proof:
"C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}" now contains a digitally-signed Security Catalog with this number, KB2286198.cat.
Also, in ultra-hidden C:\Windows\$hf_mig$ , there's a folder by that KB number. Opening sub-folder SP3GDR (General Development Release? I think?, i. e., for supported versions) shows a copy of the version listed in the "supported", standard Update, shell32.dll v.6.00.2900.6018 (for SP3), yet it also has a folder, SP2QFE, (Quick Fix Engineering, a suffix for "hotfixes" that are issued pending a fully-tested, full-release patch, or otherwise indicating "special situation" patches that are not part of general Updates and Auto-Updates) indicating that it was fully intended for SP2, and with the version number matching that in system32\shell32.dll, xxx.3736. Voila, Q.E.D.
So it is in fact updated, with the same timestamp as the SP3 version. I've been trying to find a "tester" (a place that benignly demonstrates whether a certain exploit will run on your machine), and so has Gibson, but based on this info, I consider it fixed. If anyone finds a benign POC, please post a reply.
"Updates to Windows XP Embedded are available as Quick Fix Engineering (QFE) updates. QFE is a Microsoft term for the delivery of individual service updates to products. You should routinely check the QFE webpage and keep your Windows XP Embedded system up to date."
Uh, no, thanks. That's a developer site and has zillions of updates for dev tools. So, we need to figure out the algorithm to translate future SP3 updates to SP 2 Embedded page. Good idea to reproduce this yourself for practice:
Go to support.microsoft.com/search
temporarily allow scripting from support.microsoft.com
advanced search, click "show more search options".
enter the six- or seven digit KB number from the "regular" update, i. e. 2286198 in this case.
On what product? Bottom of drop-down = "More products". (WOW, they have a lot of products!)
From alpha list, choose "Windows XP Embedded"
Where do you want to search? Uncheck the three sub-categories of MS Support Content. Check "Search Microsoft.com" only. (make sure the 226- number is still in the search box.)
Click "Search" at the bottom.
The top result has the link to this patch.
Let's hope that future ones are this easy.
For the heck of it, tried it with the Kernel vuln, 981852 , not that I would have installed it anyway, and it properly showed no results, as an embedded system clearly has a much different, and smaller, kernel than a desktop system. Not remotely exploitable anyway, so not concerned here.
Shout-out to Steve Gibson for finding this:
HQ podcast
Low-bandwidth podcast
HTML page
Text document I find them easier to read if you go to the main security-broadcast page, http://www.grc.com/SecurityNow.htm , and click to "Save as.. " and download the text file. Opens much more neatly with your own Notepad or whatever than the direct Web link. This is "Episode #261, 12 Aug 2010".
DISCLAIMER: THIS ADVICE IS NOT OFFICIALLY ENDORSED NOR SUPPORTED BY MICROSOFT OR ANYONE ELSE, INCLUDING THIS FORUM OR THIS WRITER. POSTED IN THE HOPE THAT IT MAY BE OF SOME USE TO SOME USERS, BUT WITH NO GUARANTEES, EXPRESS OR IMPLIED, AND NO LIABILITY. BE SURE FIRST TO MAKE A FULL-DISK-IMAGE BACKUP, OR AT LEAST A SYSTEM RESTORE POINT ("regular" MS updates make their own RPs, but I don't know whether embedded systems have System Restore -- doubt it - and I don't have it, either, in favor of full-disk backups.)
POSTED "AS-IS". USE AT YOUR OWN RISK, OR DO NOT USE THIS MATERIAL AT ALL.
) images of nearly every Windows version.
