Microsoft readies emergency patch for Shortcut zero-day flaw

Updated Good news from Microsoft. It has announced that it plans to release an emergency out-of-band update to patch a critical Windows security vulnerability that is being actively exploited by malware.

The so-called Shortcut exploit is being exploited by specially crafted shortcut (.LNK) files that point to malicious code and trick Windows into executing it without user interaction.

Malware exploiting the vulnerability have included Stuxnet, Chymin and Dulkis, Zbot, and – most recently – Sality.

“In the past few days, we’ve seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out of band is the best thing to do to help protect our customers,” Christopher Budd, Senior Security Response Communications Manager at Microsoft, wrote on the MSRC blog.

Microsoft normally publishes its security patches on the second Tuesday of each month, but this one is scheduled to be released today (Monday, August 2 2010) at 10am PST (1800 BST).

Whenever Microsoft releases an out-of-band patch it’s a big deal – they clearly think it’s an important enough issue to break their regular cycle and you should pay attention too. We would recommend that computer users apply the patch as soon as possible.

As Microsoft is issuing a permanent patch for the shortcut vulnerability, we would recommend that users uninstall the Sophos Windows Shortcut Exploit Protection Tool before applying the Microsoft fix.

Update Microsoft’s patch is now available for download. Read Microsoft Security Bulletin MS10-046 on their website for further information.

Of course, the patch does not work on Windows XP SP2 and earlier, which is no longer supported by Microsoft.

* Image source: Chris Violette’s Flickr Photostream (Creative Commons)