Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 9491 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Shortcut Exploit Protection Tool

Stardance

On the page which has the same title as the subject of this message (http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html), the first paragraph ends with:

".... Our free, easy-to-use tool blocks this exploit from running on your computer."

From reading other posts on this subject, it is clear that this unqualified claim is quite misleading, even deceiving.  It does not say that the tool only "blocks this exploit" in very limited circumstances.

Apparently, by no means should we rely on the Sophos tool, and use MicrosoftFixit50487.msi to reverse the effects of using MicrosoftFixit50486.msi after installing it -- although, no representative of Sophos has advised us to do that.  (They do seem to believe that their security software will protect their customers without using the Microsoft FixIt.)

The third paragraph ends with:

".... Our tool will notify you if you happen to browse to an exploited link and it will block the exploit from running."

The meaning of this claim is simply not clear.  How does anyone "browse to an exploited link"?  The word "link" in the context of using a browser to fetch pages from web sites, by using an HTML hyperlink, is considerably different from the context of using a Windows shortcut, which is a file on the user's computer system, to launch an executable.  Like the first claim, this one is unequivocal but questionable, considering what has been revealed in the other posts on this subject.

If I cannot trust that Sophos is telling me everything that I really do need to know, then how can I  trust the "tool" or any other Sophos software?

:4312


This thread was automatically locked due to age.
  • 0

    Hi Stardance,

    The tool covers cases where the .LNK and the target DLL are both on remote locations, I made this choice for the first release to reduce the number of false positives and deliver usable protection quickly. We have been working on a second version which would provide more protection while keeping the false positives low, but with Microsoft announcement on a patch we are going to recommend people to patch which is the best option.

    The comment about browsing references instances where the exploit is embedded in a website, which is another way exploit can be used.

    We have been putting a lot of time into answering questions on the forum, blogs and our support line to make sure people have all the information they need.

    Let me know if you spot any other confusing statement and I will be glad to clarify them,

    Shai Gelbaum

    Product Manager

    :4341
  • 0

    Hi,

    With Microsoft's support model for Windows 2000, we're not going to receive a patch from them.  I noticed that the tool installs on Windows 2000.  We are a Sophos AV customer and want protection for our 50+ remaining 2k servers.  Will you create a v2 of this tool that will also protect win2k?

    Thanks,

    :4343
  • 0

    Hi Corporate_admin,

    I'm informed by SophosLabs that the functionality in Sophos Anti-Virus works on Windows 2000 machines -- so as long as they're protected, they're, ahem, protected. :)

    Hope this helps,

    Lil

    :4372
  • 0

    Hi Sophos users community !

    I'm a Windows 2k user too, and installed the Sophos protection tool against the new link file exploit.

    Since pif files (aka links to DOS applications on Windows) reportedly are exploitable in the same way as are lnk, would Sophos not provide a similar filtering tool for this variant ?

    Thank you very much for the great work and free protection tools !

    [Edit:] Sorry I now see the question of PIF exploit detection was asked in another thread. Yet, please do add it as possible!

    Also, please go on protecting the unfortunate users of Windows NT, 2000 and XP (SP2 still has a 15% share, that would be over a hundred million users!).  Thank you so much !!!

    Fellow users, how about pressuring Microsoft into providing the fixed shell32 at least to Win 2k and XP SP2 users for free ? They undoubtedly have it developped (for customers with support contracts). And since they say they care about the damage their blunder is causing to "the internet ecosystem", wouldn't it be just the right thing for them to do to prove their good faith ?

    --

    Czerno

    :4416