Microsoft Plugs Windows Shortcut Flaw With Emergency Fix
Microsoft on Monday released Security Bulletin MS10-046, an emergency fix for a vulnerability that affects nearly every version of Windows and Windows Server.
Microsoft is slated to release its monthly Patch Tuesday security update on Aug. 10. As it has on several occasions this year, Microsoft has decided that the level of exploit activity around this particular vulnerability warranted an emergency fix.
Johannes Ullrich, Chief Research Officer at the SANS Institute and CTO of the Internet Storm Center, says Microsoft has become better in listening to customers and evaluating the risks to its customers.
"In years past, it has sometimes been hard to convince Microsoft about the seriousness of a particular threat," Ullrich told CRN in an e-mail. "There may also be more attention focused on these out of band patches. The turnaround time on the last one was impressive."
Andrew Plato, president of Anitian Enterprise Security, based in Beaverton, Ore., has had customers affected by the flaw and is happy to see Microsoft respond with the patch. "It’s a nasty vulnerability with some potentially disastrous ramifications," said Plato.
The Windows Shell vulnerability lets attackers spread malware by getting users to click on a maliciously crafted shortcut, and its potential for remote code execution prompted Microsoft to assign it its highest threat rating of "critical."
One of the more disconcerting aspects of the vulnerability is that attackers may have targeted SCADA systems (the term for computer controlled industrial monitoring systems), according to Plato. "This just underscores the need for SCADA systems to be isolated from the corporate network and have active defenses deployed, like intrusion prevention," he said.
However, organizations running IPS with updated signatures have been able to detect and block this attack for the past week or so, and to date there is no evidence that the vulnerability has taken down any critical systems, says Plato.
"This shows that more and more places are building secure networks. Defense in depth really works," Plato said.