BBC News – Microsoft issues ‘critical’ patch for shortcut bug 02/08/2010 | 20:01 GMT
Microsoft has issued a “critical” security update to fix a flaw in the way Windows handles shortcuts. The bug allowed attackers to craft booby-trapped shortcuts that allow them to take over a target computer. Many users set up shortcuts to get to programs and places in Windows that they use regularly. Microsoft said it released the patch because it had seen an increase in the number of attacks on the vulnerability. The fix will be sent out to those that automatically update their machines. It will also be available via the Windows Update site.
The flaw was found in mid-July and allows malicious hackers to embed commands in shortcuts that are executed when that quick link is used or viewed. Every version of Windows is vulnerable to the flaw. The first exploits of the flaw were seeded via infected USB drives and network connections. While exploitation of the flaw was limited initially, the tempo of attacks via the bug has escalated since it was discovered and publicised. Early attacks using the bug were aimed at the software control systems for critical infrastructure such as power stations. Microsoft signalled the severity of the problem by releasing an update outside its usual patch cycle. Security fixes are usually issued on the second Tuesday of every month. Christopher Budd, senior security response manager at Microsoft, wrote on the company’s security blog: “We’re able to confirm that, in the past few days, we’ve seen an increase in attempts to exploit the vulnerability”.