Patching Windows XP SP2 for the Shortcut LNK Vulnerability MS10-046

So we all know that on the 13th July 2010 Microsoft support for Windows 2000 Service Pack 4, and Windows XP Service Pack 2 came to an end.

Then on the 16th July they release a Microsoft Security Advisory 2286198 regarding a critical vulnerability that could allow remote code execution. This was then updated to  Security Bulletin and out of band patch MS10-046.

The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

So Microsoft then release the patch for XP SP3 and above, which is fine and great. However many organisations still have XP SP2, and this is a pretty good vuln, so you really would want to patch it. So obviously the best thing to do is pull your finger out and get upto XP SP3, as these sort of issues will continue and you need to be on a supported platform. Easier said than done for some companies, but we really should put the effort in.

However….. I was speaking to a friend who will remain unamed and he informed me that his company have been issued with a patch for XP SP2 to resolve the shortcut LNK vulnerability (MS10-046). So we start talking to our Microsoft reps, and apparently they is no such thing, etc etc. So I speak to my friend some more and get the filename and hash for the file. Then speaking to Microsoft some more, still denial, but they they say, oh well there is something like that, but its for embedded systems only.  Security Update for Windows XP Embedded (KB2286198)

So I think to myself, well I will check with my friend, and he confirms the hash’s are the same, and its the same file. I look at the properties and it says its ok for XP SP2, nothing about being embedded. So I grab a spare XP SP2 machine and install it. All verifies ok, and installs. Reboot. No problem. So this should work right???

Time to test.

Below is a simple quick and dirty video of an XP SP2 VM (This was the home edition I had handy, but have also checked on professional edition with the same results) where I use the Metasploit MS10-046 exploit to get a shell, I then patch the the KB2286198 patch mention above, and guess what no more shell. I am not sure why Microsoft are not sharing this info openly, but I guess at the same time it is there to test and download. Perhaps they don’t to set an out of support patching, bite them in the arse type situation.

Apologies the video is abit blurry, but this was a quick job, I recommend going HD on it for a little more clarity.

So basically this patch seems to fix the vulnerability in Windows XP SP2. So what now?? I recommend people carry out there own testing, and then if appropriate look to apply this patch as an interim measure. However it is still important to update your systems to XP Service Pack 3 or to Windows 7, as this issues will continue, and you may not be so lucky next time.

I have not seen this information anywhere else, so please spread the word and lets get these machines fixed.

Be Sociable, Share!

10 Responses to “Patching Windows XP SP2 for the Shortcut LNK Vulnerability MS10-046”

  1. [...] This post was mentioned on Twitter by Thomas Fischer, Wim Remes. Wim Remes said: RT @daleapearson: Patching Windows XP SP2 for the Shortcut LNK Vulnerability MS10-046 – http://is.gd/eb52A – Please RT [...]

  2. RichieB says:

    Great find, thanks for sharing! So Microsoft actually has a working patch, but deliberately leaves millions of XP SP2 systems vulnerable just because they EOS-ed it 2 months ago? As they clearly already put in the technical effort, this looks like a very very bad marketing decision. All my hopes and dreams of Microsoft becoming responsible about security are shattered once again.

  3. RichieB: MS won’t have tested this patch, except on the embedded systems it was designed for. They aren’t going to offer people a patch that hasn’t been tested; that *would* be irresponsible.

    Besides, anybody who hasn’t installed SP3 yet is clearly incompetent, and this vulnerability is probably the least of their worries. I mean, come on – it’s been two years. What, are you waiting for the movie?

  4. Sitaram says:

    Installation may work with this trick but what about functionality. Did someone tried exploiting the XP SP2 patched computer with the Win32.Sality? There is no use in installation this patch if it won’t defend the vulnerability.

    More over, one need to keep a point in mind that, they should revert this value back after the path installation. Otherwise, other monthly pathces will get downloaded if you have configured windows update. Also XP SP3 installation will fail saying you already upgraded :-/

  5. Dale says:

    This is not a trick, this is a patch from Microsoft.
    They may not fully support it, but its better than nothing.

    Installing SP3 after installing this patch is no problem, nothing needs to be removed.
    I have not found this to be the case anyway.

  6. John says:

    I successfully applied the reghack and KB2286198 to an XP SP2 box. After rebooting, click-n-drag functionality on the desktop is lost. i.e. If I drag a txt file onto a notepad icon on my desktop, nothing happens.

  7. John says:

    I successfully applied the reghack and KB2286198 to an XP SP2 box. After rebooting, click-n-drag functionality on the desktop is lost. i.e. If I drag a txt file onto a notepad icon on my desktop, nothing happens. If I click-n-drag a file onto a folder, the file isn’t moved – nothing happens.

    I should add that this behavior occurs if I use the reghack + KB2286198 or KB2286198-Embedded.

  8. Dale says:

    You dont need a reg hack, and I dont mention anything about using a reg hack in my guide of video.

  9. Dale says:

    Again I dont mention any registry changes, this is not a hacked way of doing things.

  10. [...] with Microsoft had an inside line that provided them access to the patch.  After some research, Dale Pearson of Security Active posted his findings. Apparently the published patch for XP embedded does work on SP2 systems.  Since the only thing [...]

Leave a Reply

Your email address will not be published. Required fields are marked *


6 × eight =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>