Group Policy Blog

Group Policy Tips, Tricks, and News from Darren Mar-Elia

Using GP Preferences to protect against the zero-day shortcut vulnerability

Microsoft recently announced a new security vulnerability in Windows shortcuts that affects all versions of Windows since XP! Its references here: http://support.microsoft.com/kb/2286198. This particular vulnerability takes advantage of the icon that appears in shortcut (.lnk and .pif) files on Windows. Within the article cited above, Microsoft provides a “FixIt” workaround for the problem that essentially removes the icon from the shortcut, leaving a blank icon in its place. In looking at what they are doing in the FixIt, it struck me that you could leverage GP Preferences’ registry extension to blow this fix out to your entire environment pretty quickly. So, what I did was create two new GP Preferences registry items, that update the appropriate registry values, and remove the data from those values. The values in question are:

HKEY_CLASSES_ROOTlnkfileshellexIconHandler@

HKEY_CLASSES_ROOTpiffileshellexIconHandler@

Where @ represents the “Default” registry value. Each of these values needs to have no data in them in order for this fix to work (and you’ll need to restart the target machine).

The GP Preferences items were very easy to craft. The following screenshot shows an example of the one I did for the lnk files:

Note that the value data field is left blank. That, in combination with using the “Update” action on the GP Preferences item, makes it easy to blank out a registry value. I then repeated this same process for the piffile path in the registry. Since I created this policy under “Computer Configuration”, I targeted the GPO to my computer objects in AD by linking it to an OU containing my computers. During the next policy refresh, the fix applied and I was protected. When an update is provided by Microsoft, you can again use GP Preferences registry extension to update the registry value with its previous, default value, which is “{00021401-0000-0000-C000-000000000046}” for both lnkfile and piffile.

Cool! GP Preferences strikes again!

Darren

Share Your Thoughts!

Copyright ©2013 SDM Software, Inc.
Site design by Social Media Ninjas | Sitemap