help.artaro.eu

Content

lnkProtect

In July, 2010 a zero-day vulnerability was discovered in all Windows versions. The bug lets execute malicious code via icons in shortcut files (those with ".lnk" extension) on removable drives (USB sticks, for example) without any user interaction. This means that after you click on a specially crafted shortcut file, the malicious code will silently run and possibly install a rootkit, a trojan or a virus on your computer.

If you do not know what malicious code is, read our What is malware? article.

This security hole was patched on August 3rd, 2010. Until then, you can use our own tiny lnkProtect ("lnk" for "Link", not "ink") program for turning off icon parsing in shortcut files. This means that you will see no icons for shortcut files in Start menu's All Programs list and Quick Launch Toolbar  - a small inconvenience as the shortcuts will still work fine.  You will still see icons for programs, Desktop items and Notification Bar items.
You can also use lnkProtect to turn the icons back on after installing Microsoft's patch in August.
This is what Quick Launch Toolbar will look like after using the protection (a yellow notification balloon will display program's name if you stop mouse pointer on it):

Please note that Microsoft provides no further security patches for users of Windows 2000, Windows XP without Service Packs or Windows XP Service Pack 1 and 2, and Windows Vista without Service Packs or Windows Vista with Service Pack 1. For those users, lnkProtect is a way of protecting their computers from the attacks.

2010-08-10 update: you can change a registry key on Windows XP Service Pack 2 computers and still get all security updates. Read F-Secure's blog post for further instructions.
Please remember that editing Windows registry incorrectly can do a lot harm and it might make your computer inoperable! Please read our Backup and restore and Troubleshooting sections for Windows XP first!

How lnkProtect works and system requirements

lnkProtect clears the default value of IconHandler key in Windows Registry as specified in Workarounds section of Microsoft Security Advisory (2286198) - Vulnerability in Windows Shell Could Allow Remote Code Execution. This means that no icons will be loaded for shortcut (.lnk) files. WebClient service remains untouched because it is often required for Microsoft SharePoint users and not started on most computers.
You can also restore the default value of IconHandler key using lnkProtect

To use lnkProtect you should have one of the Windows versions installed on your computer:

• Windows 2000
• Windows XP (32- or 64-bit)
• Windows Vista (32- or 64-bit)
• Windows Server 2003 (32-or 64-bit)
• Windows 7 (32- or 64-bit)

You must also have Microsoft .NET Framework 2.0 Service Pack 2 installed on your computer. This is already installed by default on Windows Vista and Windows 7. Windows 2000, Windows XP and Windows Server 2003 users should download and install it as described later in the article.

lnkProtect must be run with administrative privileges to allow setting values in Windows Registry. Instructions for this are also provided later in the article.

Downloading and installing lnkProtect

You can download lnkProtect installer named lnkProtectInstall.exe here.

Internet Explorer opens File Download dialog, click Run:

After download is complete, Internet Explorer tries to locate some certificate in the downloaded file. As I have not purchased one for now (it's expensive, but you can support me by clicking the yellow PayPal Donate link at the end of the article), you will see a Publisher Unknown warning.
Click Run:

By default, lnkProtect will be installed in your My Documents (Windows 2000, XP and Server 2003) or Documents (Windows Vista and 7) subfolder named lnkProtect. Please remember that lnkProtect creates no Start menu items or Desktop icons - you can easily find it under your My Documents or Documents folder instead.
After the install is complete, the lnkProtect folder opens automatically and it might hide installer window. Anyway, you can always safely close the installer by clicking Close.

Running lnkProtect as an administrator

If you are logged in as an administrator in Windows 2000, XP or Server 2003, you can double-click the file named lnkProtect.exe now to launch the program.
All Windows Vista and 7 users and Windows XP and Server 2003 users with no administrative rights should right-click the lnkProtect.exe file and select Run as administrator or Run as..., respectively.

Windows Vista and 7 users should click Allow or Yes in User Account Control warning window.

In case you did not launch lnkProtect with elevated (administrative) rights, you will see the following error message. Click OK and use Run as administrator or Run as... command.

If lnkProtect starts without error messages about .NET Framework, move on to Protecting or Restoring default settings part.
If you do see error messages, read on.

Installing Microsoft .NET Framework 2.0 Service Pack 2 in Windows 2000, XP and Server 2003

Windows 2000, XP and Windows Server 2003 might not have .NET 2.0 Framework installed. In such case you might encounter error messages such as "The application failed to initialize properly (0xc0000135)" or "To run this application, you must first install one of the following versions of the .NET Framework: v2.0.5027". Click OK or No in the dialogs.

To download Microsoft .NET Framework 2.0 Service Pack 2, click this link.
Click Download files below.

Next, click the Download button to the right of your Windows version. x86 means 32-bit version of Windows and x64 means 64-bit version of Windows. Most users have 32-bit version (x86) of Windows XP and Server 2003.

Click Run in the File Download dialog.

After the download is complete, click Run again.

Microsoft .NET Framework 2.0 SP2 Setup window opens after a while. Click I have read and ACCEPT the terms of the License Agreement. Then click Install >.

The installation might take several minutes. After it is complete, click Exit.

Click Yes if you see a reboot/restart prompt. Wait until your computer restarts and then launch lnkProtect.exe from lnkProtect folder under My Documents.

Protecting your Windows computer from shortcut file vulnerability using lnkProtect

After lnkProtect starts, it will display your current Windows version and check whether shortcut icon blocking is enabled or not.

Text color above the only button denotes whether settings are as recommended: green means that the setting is fine, red means that the setting is not as recommended.

Here we have default settings that are unsafe until Microsoft releases a patch for this vulnerability. Click Disable the displaying of icons for shortcuts:

You will then see a dialog reminding you that a system restart is necessary for the changes to take effect. Click OK.

You will also notice that the text above button and on the button has changed.

You can close lnkProtect either using keyboard shortcut Alt+F4 or by opening File menu and clicking Exit.

Restart your computer after this for the changes to take effect!

After a restart, you will notice no icons for most items on Start menu's All Programs list and in Quick Launch Toolbar.

Restoring Windows default icon settings for shortcut files using lnkProtect

After Microsoft releases the patch for the shortcut file security bug and you have installed it or if there seems to be trouble after disabling the displaying of icons for shortcuts, you can disable this temporary workaround.

See our Enable Microsoft Update in Windows XP, Configure Automatic Updates in Windows Vista and Configure Automatic Updates in Windows 7 articles for automatically updating your Windows.

Launch lnkProtect with administrative rights and click Restore the displaying of icons for shortcuts:

You will then see a dialog reminding you that a system restart is necessary for the changes to take effect. Click OK.

You will also notice that the text above button and on the button has changed.

You can close lnkProtect either using keyboard shortcut Alt+F4 or by opening File menu and clicking Exit.

Restart your computer after this for the changes to take effect!

---