The remote code execution warning was posted yesterday for Windows Shell on XP: Microsoft Security Advisory (2286198).
The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.
Turn off AutoPlay
It was no good anyway
Except for exploits
Update: Sophos says disabling autoplay is not an answer
Sophos senior technology consultant Graham Cluley told ZDNet UK that the rootkit circumvents preventative measures such as disabling autorun and autoplay in Windows.
“This waltzes around autorun disable,” said Cluley. “Simply viewing the icon will run the malware.”
One thought on “Microsoft Shell Exploit”