Microsoft has announced it plans to break from its normal monthly schedule of security updates to issue an immediate patch for a critical zero-day vulnerability in the way the Windows Shell handles shortcut files. According to Microsoft, the exploit first appeared in the wild on July 16, and at that time targets were limited, but have been escalating in recent days.
“We are releasing the bulletin as we’ve completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers,” Microsoft senior security response communications manager Christopher Budd wrote in the company’s security response blog. “Additionally, we’re able to confirm that, in the past few days, we’ve seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out of band is the best thing to do to help protect our customers.”
The problem lies in the way Windows handles some .LNK shortcuts, particularly for icons on the desktop: the Windows Shell is not properly validating .LNK files in all cases.
Microsoft has been struggling with the security community in recent months, as an increasingly number of serious vulnerabilities have been revealed with giving Microsoft much advance warning; earlier this month, a group of security researchers actually vowed to look for Windows exploits and take them public without first sharing them with Microsoft at all. Microsoft has since extended an olive branch, announcing last week a new “coordinated vulnerability disclosure” process it hopes will address dissatisfaction in the broader security community.