Skip navigation
All People > Bryan Owen > Bryan Owen's Blog > 2015 > March
2015

Bryan Owen's Blog

March 2015 Previous month Next month
Bryan Owen

March Madness

Posted by Bryan Owen Employee Mar 11, 2015

March Madness also describes the 10-Mar Microsoft security updates.

 

Of Stuxnet fame, there is a new fix for the LNK vulnerability in MS15-020.

 

It turns out the initial fix had a bug. A malicious LNK file with a link path of exactly 257 characters containing embedded unescaped spaces, and two "target" files - one with embedded unescaped spaces and one without can still execute code.

 

As obscure as it sounds, it's now public knowledge. Happy patching!

 

Technical report on HP ZDI provides the details.

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-…