<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.17063" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#8ea8c4>
<DIV><FONT face=Arial size=2>It's been a busy 24 hours looking into this newest
flaw in Windows. Lots of research has gone into it and most of the results are
not good news for Windows<BR>users. It is important to think about this attack
as two separate pieces, one that is a new zero-day vulnerability that could
easily be adopted by any<BR>malware author, the other a unique payload that
appears to be designed to go after some very specific infrastructure
targets.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>For corporate users (unless you run a power plant,
water system or other <BR>SCADA<BR> system) the important part is the
zero-day flaw. Warning: I am about to go a bit geeky.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>The flaw is in how shell32.dll tries to load
control panel icons from applets. By making a specially crafted shortcut
pointing to a malicious file, you<BR>can make Windows Explorer blindly execute
the malicious file when the location of the shortcut is merely browsed to. In
this case the malicious file is<BR>a rootkit and a dropper that immediately hide
the special shortcut (.lnk) files. Allowing executable code to load in the
process of trying to retrieve<BR>an icon seems like a major oversight in the
design of Windows.</FONT></DIV>
<DIV><FONT face=Arial size=2>to continue, go to sophos below
:</FONT></DIV>
<DIV><FONT face=Arial size=2> <A
href="http://www.sophos.com/blogs/chetw/g/2010/07/16/windows-day-attack-works-windows-systems/">http://www.sophos.com/blogs/chetw/g/2010/07/16/windows-day-attack-works-windows-systems/</A><BR><BR></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV></BODY></HTML>