I seem to be in an instigating mood this week, so I'll throw this one out for comments.
This is an excerpt from the Security Now
podcast with Steve Gibson and Leo Laporte Episode #259 (Listener Feedback #97)
Leo is reading a viewer question and Steve is answering:
Leo: Yeah, yeah. Good. Lee Elliott in Columbia, Missouri has thought about the new Windows LNK shell vulnerability and virtual surfing: Steve and Leo, I've been listening for a few years. I'm caught up with listening to, if maybe not fully understanding, all of the episodes. Join the club, by the way, Lee. This Windows shell vulnerability has me a little freaked out. I'm looking at a bunch of "white page" icons right now on my Windows 7 machine. This seems a bit Draconian. I guess he applied the Microsoft workaround.
Steve: Fix, the temporary fix, yes.
Leo: Assuming that I'm not vulnerable to a sneaker net attack, would it adequately protect me to do all my surfing on a Linux virtual machine? Of course this would mean not opening documents, et cetera, outside of that virtual machine that might have an offending shortcut, and I don't have any network shares. Basically, I'm trying to avoid inadvertently surfing to a malicious web page. Or am I misunderstanding the threat, or the protection that surfing from a virtual Linux machine might provide? Hey, that's a great suggestion. Lee Elliott, Columbia, Missouri - SpinRite owner, Carbonite user, Audible listener. Right on.
Steve: Okay. Absolutely, doing your surfing in a Linux virtual machine is about the best thing I could imagine for protection, better even than surfing in a Windows virtual machine because a Windows virtual machine will be a virtual machine known to be vulnerable. You would be counting on the virtualization to protect you, which is probably a good bet. But, gee, if all you really want to do is surf, then Linux is going to boot faster. So just use a nice Linux running in a virtual machine, and it doesn't have the shortcut problem at all.So by essentially switching to Linux for your surfing, by virtue of running it in a virtual machine running on top of Windows, you have complete containment of surfing. So you have the security of just in general being on Linux, which is not being attacked to the same degree that Windows is, so there's a bonus there. And you have virtualization, so there's a bonus there. And you're in an OS that doesn't have the LNK shell shortcut problem. So that's just - that's a huge win. Absolutely. I would recommend that. If that's something that you want to do, you're completely safe from this particular problem - and probably lots of other ones that we don't know about yet.
Leo: In fact, if I were you, I would just throw out the Windows and run Linux.
Steve: Yeah, exactly.