Microsoft has announced plans to launch an emergency patch for the .lnk vulnerability in the Windows shell, after initially indicating it would wait for the next Patch Tuesday release.
Despite categorising the flaw - which can cause unauthorised code to execute simply by browsing to a network share or storage device containing a maliciously-crafted .lnk or .pif shortcut file - as
critical, Microsoft chose to wait until its next patch release cycle date owing to a lack of in-the-wild attacks against the flaw.
Sadly, that has changed: with several strains of malware now taking advantage of the un-patched vulnerability, Microsoft has decided to release a fix for download later today - outside its normal release schedule. Microsoft Security Response Centre spokesman Christopher Budd confirmed that the patch comes as "
in the past few days, we've seen an increase in attempts to exploit the vulnerability."
While system administrators will be thankful that a fix will soon appear - although the headache of an out-of-band patch installation can't be discounted - many are wondering just what took Microsoft so long. While it was clear at the start that this was a serious security flaw, Microsoft's decision to delay the release of a patch for almost a full month has left its customers at risk of attack - and, according to
InformationWeek, directly contributed to the spread of the
Sality worm.
Are you just pleased to see that a fix is now available for what is clearly a major security flaw in the Windows shell, or disappointed that it has taken Microsoft this long to provide a proper fix for the issue? Share your thoughts over in
the forums.
Want to comment? Please log in.