Forum > Blogs > Favicons Temporarily Disabled
Favicons Temporarily Disabled
avatar
Country: US
Comments: 6467
News Posts: 413
Joined: 2008-06-21
 
Sun, 25 Jul 2010 01:08:02
0
A zero-day exploit in several versions of Windows has been found that includes the ability to execute malicious code spread through favicons.  Because of this, site favicons have been temporarily disabled for news stories.  This will be restored once there has been a patch.

Details here: http://secunia.com/advisories/22159/
Edited: Sun, 25 Jul 2010 01:17:05

---

Tell me to get back to rewriting this site so it's not horrible on mobile
avatar
Country: CO
Comments: 11520
News Posts: 1163
Joined: 2008-06-24
 
Sun, 25 Jul 2010 03:55:24
0
What are favicons?
avatar
Country: US
Comments: 6467
News Posts: 413
Joined: 2008-06-21
 
Sun, 25 Jul 2010 04:01:17
0
Favicons are the small icons in tabs and beside the address bar that appear for sites.

There shouldn't be any issue on our end for displaying them on the news as it's inline, but I'm taking the precautionary stance.  The primary basis is to not be downloading them to the server for now.

---

Tell me to get back to rewriting this site so it's not horrible on mobile
avatar
Country: US
Comments: 17189
News Posts: 2804
Joined: 2008-06-21
 
Sun, 25 Jul 2010 04:01:36
0

SteelAttack said:
What are favicons?

favicons

The VG Press

avatar
Country: US
Comments: 17189
News Posts: 2804
Joined: 2008-06-21
 
Sun, 25 Jul 2010 04:10:27
0
I disabled the favicons in Firefox. Is that all that's needed to be safe?

The VG Press

avatar
Country: US
Comments: 6467
News Posts: 413
Joined: 2008-06-21
 
Sun, 25 Jul 2010 04:47:03
0
The issue is much broader than just the favicons, that's just a vector.  The problem is in Windows shell itself (the graphical display infrastructure used for GUIs).

From my perspective, the demonstrated possibility to exploit it through favicons was the most significant known concept thus far, but it's just a symptom.  There's no real workaround as it's too integral to the entire operating system (the result would be disabling ALL icon displays).  Though if you worked locally in DOS and browsed the web on Lynx you'd be safe.

EDIT: Actually, there is technically the ability to replace the Windows shell with a third-party program, but it's not a nice process.  Just avoid the dark places of the net, don't let random people with USB sticks near your computer, and keep patched as updates come along.
Edited: Sun, 25 Jul 2010 04:57:25

---

Tell me to get back to rewriting this site so it's not horrible on mobile
avatar
Country: UN
Comments: 48362
News Posts: 59780
Joined: 2008-06-21
 
Sun, 25 Jul 2010 14:10:47
0

I never click those things.

avatar
Country: US
Comments: 6467
News Posts: 413
Joined: 2008-06-21
 
Sun, 25 Jul 2010 15:06:13
0
gamingeek said:

I never click those things.

They aren't for clicking.

---

Tell me to get back to rewriting this site so it's not horrible on mobile
avatar
Country: US
Comments: 18436
News Posts: 2100
Joined: 2008-06-21
 
Sun, 25 Jul 2010 15:13:39
+1
YODABOTS WAGE THEIR BATTLES TO DESTROY THE EVIL FORCES OF THE FAVICONS!


avatar
Country: UN
Comments: 19280
News Posts: 9317
Joined: 2008-08-18
 
Mon, 26 Jul 2010 00:38:36
old Nyaa

It's so funny.  It's a vulnerability with .lnk files yeah?  I think they waited to exploit it until MS turned off support for 2K and XP a couple of weeks ago.  Not really, no one has that much patience, but still it was good timing.

But good catch on that.  I didn't even think of the use of favicons on the site.
Edited: Mon, 26 Jul 2010 00:40:52

avatar
Country: US
Comments: 6467
News Posts: 413
Joined: 2008-06-21
 
Thu, 05 Aug 2010 00:13:43
An out-of-cycle patch was released yesterday, so make sure you've updated if you're running Windows.  Note, however, that support for Windows XP SP2 is officially stopped, so you aren't getting patches anymore.  Move to SP3 if you're still on XP.

---

Tell me to get back to rewriting this site so it's not horrible on mobile
Log in or Register for free to comment
Recently Spotted:
*crickets*
Login @ The VG Press
Username:
Password:
Remember me?