This problem has been documented very clearly in several places, but folks seem to be getting the run around on an actual fix. Before going any further, please read the following to understand the problem (sorry for the odd links, I am still waiting on account verification):
H T T P : : / /www.ryanandjeffshow.com/blog/2013/04/05/the-microsoft-windows-unquoted-service-path-vulnerability/
This was discussed at length in this technet forum to no avail:
H T T P : : / /social.technet.microsoft.com/Forums/windows/en-US/402a8487-4612-4350-9777-9bbd32edf45b/develop-script-to-fix-unquote-binary-path-or-use-tool-such-as-wsus-or-group-policy-with-script-quote
The long and short is as follows:
We have hundreds of servers and many more workstations reporting the vulnerability and the only fix I am able to find (powershell scripts) is one I find risky. Deploying a script to hundreds of machines potentially affecting thousands of services is just a bad idea, no matter how good your script is. And, as previous folks have explained, you will have to continually do this as evidently NEW software still have the problem.
On my Windows 7 machine, I ran the following command to grab the bad services:
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
I got several hits, but here is one example:
- Intel(R) Management and Security Application Local Management Service
- LMS
- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
If I run "net stop LMS"
Then "echo "foo" > c:\program.exe"
Then "net start LMS"
I get the following:
System error 216 has occurred.
This version of *** is not compatible with the version of Windows you're running. Check your computer's system information to see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.
Meaning the service tried to run c:\program.exe and failed.
This is clearly a flaw in how MS is handling unquoted paths. Three of the affected services are up to date software and security related. Just preventing these from starting would be bad. I will be contacting the vendors of some key software, but if I look at the entire list, I would spend the rest of my days just trying to find vendors and explain this to them.
What is MS going to do to resolve this?